New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files
The Hacker NewsArchived Jun 11, 2026✓ Full text saved
Security researcher Chaotic Eclipse (aka Nightmare-Eclipse and MSNightmare) has released a new Windows BitLocker bypass dubbed GreatXML, a day after they published an exploit for Microsoft Defender. "This was an accidental discovery, it took a total of 4 hours to find this," the researcher said in a post on Blogger. "If you ever attempted to use Windows Defender Offline Scan, you're
Full text archived locally
✦ AI Summary· Claude Sonnet
New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files
Ravie LakshmananJun 11, 2026Endpoint Security / Vulnerability
Security researcher Chaotic Eclipse (aka Nightmare-Eclipse and MSNightmare) has released a new Windows BitLocker bypass dubbed GreatXML, a day after they published an exploit for Microsoft Defender.
"This was an accidental discovery, it took a total of 4 hours to find this," the researcher said in a post on Blogger. "If you ever attempted to use Windows Defender Offline Scan, you're automatically vulnerable to a BitLocker bypass. I'm unsure if you can still trigger the bug without ever using the offline scan feature, because you can definitely."
The exploit works as follows -
Copy an XML file ("unattend.xml") and a recovery folder containing another XML file ("Recovery/WindowsRE/ReAgent.xml) to the root of the recovery partition.
Reboot to Windows Recovery Environment (WinRE) by holding Shift while clicking Restart in the Windows power menu.
If every step is followed correctly, the result is a shell spawned with unrestricted access to the BitLocker volume.
"If Defender offline scan was never initiated then you have to either login and initiate it yourself or figure out a way to boot into WinRE in offline scan state (I believe it should be very possible to do so without logging in) and follow steps above," Chaotic Eclipse noted.
The release of GreatXML comes not long after RoguePlanet, a zero-day flaw in Microsoft Defender that facilitates local privilege escalation (LPE) to SYSTEM, granting the attacker the ability to run arbitrary code or perform unauthorized actions.
GreatXML is also the second BitLocker bypass released by Chaotic Eclipse after YellowKey (aka CVE-2026-45585), patches for which were released by Microsoft this week as part of Patch Tuesday updates.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
BitLocker, cybersecurity, exploit, Microsoft, Microsoft Defender, patch Tuesday, privilege escalation, Vulnerability, Windows, WinRE
⚡ Top Stories This Week
Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack
⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration
New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing
Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens
Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag
Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes
Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public
AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs
ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories
Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI
One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public
Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories
New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare
Load More ▼
⭐ Featured Resources
Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis
See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo]
[Guide] Transform Network Operations with Intelligent Workflows
Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale