GreatXML Exploit Bypasses Windows BitLocker in Just 4 Hours

Security researcher Chaotic Eclipse, also known as Nightmare-Eclipse and MSNightmare, has publicly disclosed a new Windows BitLocker bypass exploit dubbed GreatXML, marking the researcher's second BitLocker attack disclosure in a single week. According to a post on Blogger, the researcher described the discovery as accidental, noting the entire attack chain took only four hours to develop. The exploit specifically targets systems where Windows Defender Offline Scan has been previously initiated, though Chaotic Eclipse believes the vulnerability can likely be triggered without ever using the offline scan feature.

The GreatXML attack follows a straightforward but effective procedure. An attacker copies an XML file named "unattend.xml" alongside a recovery folder containing a second XML file ("Recovery/WindowsRE/ReAgent.xml") to the root of the system's recovery partition. The system is then rebooted into the Windows Recovery Environment (WinRE) by holding Shift while selecting Restart from the Windows power menu. If executed correctly, this sequence spawns a shell with unrestricted access to the BitLocker-encrypted volume, completely defeating the disk encryption layer that organizations rely on to protect sensitive data at rest. IT teams concerned about similar attack surfaces on their networks can evaluate exposure using a port scanner to identify systems with unnecessary services exposed.

The release follows closely on the heels of RoguePlanet, a zero-day flaw in Microsoft Defender that Chaotic Eclipse disclosed just one day earlier. RoguePlanet enables local privilege escalation (LPE) to SYSTEM-level access, allowing attackers to execute arbitrary code. GreatXML itself follows YellowKey (tracked as CVE-2026-45585), the researcher's first BitLocker bypass, for which Microsoft issued patches this week as part of its June Patch Tuesday updates. Notably, no patch for GreatXML has been announced at the time of disclosure, leaving affected systems exposed. Users are strongly advised to verify their password checker hygiene and ensure device encryption keys are backed up securely while a remediation timeline remains unclear.

For organizations relying on BitLocker to protect corporate endpoints, the GreatXML disclosure underscores the importance of defense-in-depth strategies. Single-layer encryption solutions are increasingly insufficient when researchers can produce working bypasses in a matter of hours. Security teams should monitor for any WinRE-related anomalies, audit systems for unexpected XML files in recovery partitions, and run a comprehensive privacy checkup across their endpoint fleet to identify misconfigurations that could compound the risk of similar bypass techniques.