MediumPublic exploit

Integrity validation bypass in CPSD CryptoPro Secure Disk pre-boot Linux environment

IdentifiersCVE-2025-10010CWE-353· Missing Support for Integrity Check

CVE-2025-10010 affects CPSD CryptoPro Secure Disk for BitLocker, which uses a small Linux-based pre-boot authentication (PBA) environment on a separate unencrypted partition before invoking BitLocker to decrypt the Windows partition. Multiple integrity checks are performed at boot, including Linux Integrity Measurement Architecture (IMA), but certain configuration files are not validated by IMA and may not be covered by other integrity controls. As a result, an attacker with access to the disk can modify unvalidated configuration files in the PBA environment and cause arbitrary code execution as root during boot. SEC Consult reported a proof of concept using DHCP-related hook scripting such as /etc/dhcpcd.enter-hook to obtain a reverse shell with root privileges after restart. Because the vulnerable environment runs before or during access to the protected Windows volume, the issue can be used to implant a backdoor and access data during execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution as root in the CryptoPro Secure Disk pre-boot Linux environment. This enables persistent tampering of the PBA environment, including planting backdoors, intercepting or manipulating pre-boot operations, and accessing data during execution in the phase where the product is used to unlock the BitLocker-protected Windows partition. Given the pre-boot position of the vulnerable component, compromise undermines the trust boundary intended to protect disk decryption and can facilitate unauthorized access to protected data.

Mitigation

If you can’t patch tonight, do this now.

As a workaround, enable encryption of the PBA Linux partition so an attacker cannot trivially modify files offline; the advisory notes this is available since version 7.6.0 via the client setting "PBA Linux Partition verschlüsseln" and is enabled by default starting with version 7.7. Additionally, restrict physical access to endpoints and storage media, prevent booting from external media where possible, and use platform controls such as UEFI Secure Boot, firmware passwords, and disabled removable boot options to reduce opportunities for offline partition tampering.

Remediation

Patch, then assume compromise.

Upgrade to a fixed version provided by the vendor. The advisory states the issue is fixed in CPSD CryptoPro Secure Disk for BitLocker versions 7.6.6 and 7.7.1. The remediation should ensure that configuration files in the PBA environment are covered by integrity verification or equivalent cryptographic validation. After patching, affected systems should be reviewed for offline tampering and re-provisioned or rebuilt as needed to remove any implanted backdoors from the pre-boot partition.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

CpsdCryptopro Secure Diskapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

the hacker newsNews

Mar 2, 2026

⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Unknown (listed as a trending CVE affecting CryptoPro Secure Disk for BitLocker).

the hacker newsNews

Mar 2, 2026

⚡ Weekly Recap: SD-WAN 0-Day, Critical CVEs, Telegram Probe, Smart TV Proxy SDK and More

Unknown (listed as a trending CVE affecting CryptoPro Secure Disk for BitLocker; no technical details provided in the content).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-10010

NVD

nvd.nist.gov/vuln/detail/CVE-2025-10010

MITRE CWE · CWE-353

Missing Support for Integrity Check

Third Party Advisory

r.sec-consult.com/cpsd

seclists.org

seclists.org/fulldisclosure/2026/Mar/0