Security experts are raising alarms over a newly unveiled exploit named GreatXML, which effectively bypasses Windows BitLocker’s security features. This discovery, attributed to the researcher known as Chaotic Eclipse, emerged shortly after they disclosed another vulnerability related to Microsoft Defender.
Details of the GreatXML Exploit
The researcher, also identified as Nightmare-Eclipse, inadvertently discovered GreatXML in a span of four hours. According to their report, users who have employed the Windows Defender Offline Scan are at risk of this BitLocker breach. While it remains uncertain if the bug can be exploited without using the offline scan, the potential for vulnerability exists.
The exploit involves placing specific XML files on the recovery partition. By copying the ‘unattend.xml’ and ‘ReAgent.xml’ files to this location and rebooting into the Windows Recovery Environment (WinRE) via the Shift key and Restart option, a user can gain shell access to the BitLocker volume.
Expert Opinions and Reactions
Security researcher Will Dormann has expressed skepticism about the exploit’s practicality, highlighting that triggering the Microsoft Defender Offline Scan requires administrative credentials, which could already allow BitLocker deactivation. Dormann further observed that the suggested method does not align with his experiences across various Windows 11 versions.
Despite these criticisms, the release of GreatXML follows closely on the heels of another vulnerability called RoguePlanet. This zero-day flaw in Microsoft Defender enables local privilege escalation, posing significant security risks.
Implications and Future Outlook
GreatXML represents the second BitLocker bypass released by Chaotic Eclipse, following the YellowKey exploit, identified as CVE-2026-45585. Microsoft has already issued patches for YellowKey as part of their latest Patch Tuesday updates.
The emergence of such vulnerabilities underscores the critical need for continuous vigilance and prompt patching to safeguard against potential threats. As security measures evolve, both users and organizations must stay informed to mitigate risks effectively.
