BlueHat IL 2026 - Netanel Ben Simon, Alon Leviev - Attacking and Securing Windows Recovery

In mid-2024, a global IT outage - triggered by a 3rd party vendor driver update - became the largest in history, impacting roughly 8.5 million devices worldwide. In response, Microsoft introduced the Windows Resiliency Initiative (WRI) - a bold vision for a self-healing, secure Windows platform designed to enable rapid recovery and autonomous remediation, ensuring systems can bounce back from failures without user intervention. At the heart of this initiative is the Windows Recovery Environment (WinRE), a foundational component embedded in over a billion devices. Once a simple recovery utility, WinRE is now evolving into the backbone of system resiliency, redefining how Windows safeguards continuity and reliability. Recognizing its growing importance, we conducted an in-depth security review of WinRE - examining its architecture, interactions with other components, prior research, and potential attack surfaces - with the goal of uncovering new vulnerabilities. This review uncovered 11 new CVEs that allow bypassing BitLocker to extract all the BitLocker-encrypted data. Notably, most of the findings were purely logical in nature. In this talk, we will present selected findings from our research, demonstrate how we discovered and exploited new 0-day vulnerabilities, share key lessons learned, and outline our approach to strengthening WinRE’s security. This talk will not only reveal how we uncovered and exploited new vulnerabilities but also serve as a practical guide to WinRE security research - covering its fundamentals, threat model, and essential tools - while sharing lessons learned to inspire the broader security research community to further explore the security of WinRE.