CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 11, 2026

New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files

The Hacker News Archived Jun 11, 2026 ✓ Full text saved

Security researcher Chaotic Eclipse (aka Nightmare-Eclipse and MSNightmare) has released a new Windows BitLocker bypass dubbed GreatXML, a day after they published an exploit for Microsoft Defender. "This was an accidental discovery, it took a total of 4 hours to find this," the researcher said in a post on Blogger. "If you ever attempted to use Windows Defender Offline Scan, you're

Full text archived locally
✦ AI Summary · Claude Sonnet


    New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Ravie LakshmananJun 11, 2026Endpoint Security / Vulnerability Security researcher Chaotic Eclipse (aka Nightmare-Eclipse and MSNightmare) has released a new Windows BitLocker bypass dubbed GreatXML, a day after they published an exploit for Microsoft Defender. "This was an accidental discovery, it took a total of 4 hours to find this," the researcher said in a post on Blogger. "If you ever attempted to use Windows Defender Offline Scan, you're automatically vulnerable to a BitLocker bypass. I'm unsure if you can still trigger the bug without ever using the offline scan feature, because you can definitely." The exploit works as follows - Copy an XML file ("unattend.xml") and a recovery folder containing another XML file ("Recovery/WindowsRE/ReAgent.xml) to the root of the recovery partition. Reboot to Windows Recovery Environment (WinRE) by holding Shift while clicking Restart in the Windows power menu. If every step is followed correctly, the result is a shell spawned with unrestricted access to the BitLocker volume. "If Defender offline scan was never initiated then you have to either login and initiate it yourself or figure out a way to boot into WinRE in offline scan state (I believe it should be very possible to do so without logging in) and follow steps above," Chaotic Eclipse noted. The release of GreatXML comes not long after RoguePlanet, a zero-day flaw in Microsoft Defender that facilitates local privilege escalation (LPE) to SYSTEM, granting the attacker the ability to run arbitrary code or perform unauthorized actions. GreatXML is also the second BitLocker bypass released by Chaotic Eclipse after YellowKey (aka CVE-2026-45585), patches for which were released by Microsoft this week as part of Patch Tuesday updates. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  BitLocker, cybersecurity, exploit, Microsoft, Microsoft Defender, patch Tuesday, privilege escalation, Vulnerability, Windows, WinRE ⚡ Top Stories This Week Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare Load More ▼ ⭐ Featured Resources Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo] [Guide] Transform Network Operations with Intelligent Workflows Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 11, 2026
    Archived
    Jun 11, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗