CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 11, 2026

GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan

Cybersecurity News Archived Jun 11, 2026 ✓ Full text saved

A newly disclosed zero-day exploit, dubbed GreatXML, enables attackers with physical access to fully bypass BitLocker drive encryption on Windows systems by leveraging an obscure but common side effect of Windows Defender Offline Scan, no login required, under certain conditions. The exploit was reportedly discovered accidentally during a roughly four-hour research session and has been […] The post GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan appeared first on Cybe

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan By Guru Baran June 11, 2026 A newly disclosed zero-day exploit, dubbed GreatXML, enables attackers with physical access to fully bypass BitLocker drive encryption on Windows systems by leveraging an obscure but common side effect of Windows Defender Offline Scan, no login required, under certain conditions. The exploit was reportedly discovered accidentally during a roughly four-hour research session and has been publicly released as a proof-of-concept (PoC) on multiple repositories. GreatXML is a BitLocker security feature bypass that exploits the Windows Recovery Environment (WinRE) state triggered by Microsoft Defender’s Offline Scan feature. When a user or an attacker initiates a Windows Defender Offline Scan on a target machine, the system reboots into a special pre-boot recovery environment to perform the scan. The vulnerability exploits this transition: if unattend.xml and a crafted Recovery directory are placed in the root of the recovery partition, and the machine is rebooted into WinRE, a shell with unrestricted access to the BitLocker-protected volume spawns automatically. The screenshots released alongside the PoC show an active X:\Windows\System32 administrator shell during the Defender Offline Scan session, with manage-bde -status C: confirming the drive is 100% encrypted using XTS-AES 128 with Protection Status: On yet the volume is fully accessible and unlocked. GreatXML BitLocker Bypass 0-Day Exploit The vulnerability has two distinct exploitation paths depending on whether the victim machine has previously run a Defender Offline Scan: Automatic exploitation (no login needed): If the victim ever initiated a Defender Offline Scan, the machine is immediately vulnerable. An attacker with physical access simply copies unattend.xml and the Recovery directory to the recovery partition root, then reboots into WinRE via Shift + Restart. Requires attacker-initiated scan: If no prior offline scan was performed, an attacker must either log in and trigger the scan themselves or find a method to boot the machine into WinRE in offline scan state without authentication, which the researcher notes is likely achievable. This closely mirrors the attack model of the recently patched YellowKey (CVE-2026-45585) BitLocker bypass, which also weaponized WinRE to access encrypted volumes through physical access. Any Windows system with BitLocker enabled that has ever used or been subjected to a Windows Defender Offline Scan is potentially vulnerable. The attack works regardless of whether BitLocker is configured with TPM-only key protection, which provides no PIN barrier at boot. The PoC was demonstrated on Windows 10.0.26100.1 (Windows 11 24H2). No official patch has been issued for GreatXML at the time of publication. The GreatXML PoC has been published across multiple repositories, including GitHub and independent Git hosting platforms, by the researcher known as NightmareEclipse / MSNightmare. The public availability of the exploit code significantly lowers the barrier for opportunistic threat actors, particularly those targeting high-value systems in scenarios such as laptop theft, insider threats, or supply chain compromise. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hackers Infect npm Package dbmux With Malware to Fully Compromise Developer Systems Hackers Deploy MLTBackdoor Malware via Multi-Stage ClickFix Infection Chain Microsoft Warns Claude Code GitHub Action Could Leak CI/CD Workflow Secrets CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware Latest News Cyber Security News Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script Cyber Security News Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs Cyber Security News China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation Cyber Security News Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email Cyber Security News Ivanti Endpoint Manager Mobile Vulnerability Enables Remote Code Execution Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 11, 2026
    Archived
    Jun 11, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗