GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan
Cybersecurity NewsArchived Jun 11, 2026✓ Full text saved
A newly disclosed zero-day exploit, dubbed GreatXML, enables attackers with physical access to fully bypass BitLocker drive encryption on Windows systems by leveraging an obscure but common side effect of Windows Defender Offline Scan, no login required, under certain conditions. The exploit was reportedly discovered accidentally during a roughly four-hour research session and has been […] The post GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan appeared first on Cybe
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan
By Guru Baran
June 11, 2026
A newly disclosed zero-day exploit, dubbed GreatXML, enables attackers with physical access to fully bypass BitLocker drive encryption on Windows systems by leveraging an obscure but common side effect of Windows Defender Offline Scan, no login required, under certain conditions.
The exploit was reportedly discovered accidentally during a roughly four-hour research session and has been publicly released as a proof-of-concept (PoC) on multiple repositories.
GreatXML is a BitLocker security feature bypass that exploits the Windows Recovery Environment (WinRE) state triggered by Microsoft Defender’s Offline Scan feature. When a user or an attacker initiates a Windows Defender Offline Scan on a target machine, the system reboots into a special pre-boot recovery environment to perform the scan.
The vulnerability exploits this transition: if unattend.xml and a crafted Recovery directory are placed in the root of the recovery partition, and the machine is rebooted into WinRE, a shell with unrestricted access to the BitLocker-protected volume spawns automatically.
The screenshots released alongside the PoC show an active X:\Windows\System32 administrator shell during the Defender Offline Scan session, with manage-bde -status C: confirming the drive is 100% encrypted using XTS-AES 128 with Protection Status: On yet the volume is fully accessible and unlocked.
GreatXML BitLocker Bypass 0-Day Exploit
The vulnerability has two distinct exploitation paths depending on whether the victim machine has previously run a Defender Offline Scan:
Automatic exploitation (no login needed): If the victim ever initiated a Defender Offline Scan, the machine is immediately vulnerable. An attacker with physical access simply copies unattend.xml and the Recovery directory to the recovery partition root, then reboots into WinRE via Shift + Restart.
Requires attacker-initiated scan: If no prior offline scan was performed, an attacker must either log in and trigger the scan themselves or find a method to boot the machine into WinRE in offline scan state without authentication, which the researcher notes is likely achievable.
This closely mirrors the attack model of the recently patched YellowKey (CVE-2026-45585) BitLocker bypass, which also weaponized WinRE to access encrypted volumes through physical access.
Any Windows system with BitLocker enabled that has ever used or been subjected to a Windows Defender Offline Scan is potentially vulnerable.
The attack works regardless of whether BitLocker is configured with TPM-only key protection, which provides no PIN barrier at boot. The PoC was demonstrated on Windows 10.0.26100.1 (Windows 11 24H2).
No official patch has been issued for GreatXML at the time of publication. The GreatXML PoC has been published across multiple repositories, including GitHub and independent Git hosting platforms, by the researcher known as NightmareEclipse / MSNightmare.
The public availability of the exploit code significantly lowers the barrier for opportunistic threat actors, particularly those targeting high-value systems in scenarios such as laptop theft, insider threats, or supply chain compromise.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Hackers Infect npm Package dbmux With Malware to Fully Compromise Developer Systems
Hackers Deploy MLTBackdoor Malware via Multi-Stage ClickFix Infection Chain
Microsoft Warns Claude Code GitHub Action Could Leak CI/CD Workflow Secrets
CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks
WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware
Latest News
Cyber Security News
Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script
Cyber Security News
Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs
Cyber Security News
China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation
Cyber Security News
Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email
Cyber Security News
Ivanti Endpoint Manager Mobile Vulnerability Enables Remote Code Execution Attacks