'GreatXML' Zero-Day Exploit Bypasses BitLocker via Microsoft Defender
A new zero-day exploit named GreatXML abuses Microsoft Defender's offline scan to bypass BitLocker encryption and spawn a SYSTEM shell during Windows Recovery Mode boot.
Security researcher Nightmare Eclipse has released a new Windows BitLocker bypass exploit named GreatXML, only one day after publishing a separate zero-day flaw targeting Microsoft Defender. The GreatXML proof-of-concept (PoC) allows attackers to bypass BitLocker encryption and spawn a command prompt with SYSTEM privileges while in Windows Recovery Mode (WinRE).
The exploit targets a vulnerability in Microsoft Defender's offline scan functionality. According to the researcher, any Windows machine on which an offline scan has been initiated at least once automatically becomes vulnerable. The PoC includes an XML file and a Recovery folder (containing another XML) that must be copied to the root of the computer's recovery partition. The system then needs to be rebooted in Recovery Mode by holding Shift while clicking Restart, granting unrestricted access to the BitLocker-protected volume.
"If Defender offline scan was never initiated, then you have to either log in and initiate it yourself or figure out a way to boot into WinRE in offline scan state," the researcher noted, suggesting that the attack could potentially be executed without prior authentication in some scenarios.
GreatXML arrives just one day after Nightmare Eclipse released RoguePlanet, a separate zero-day flaw in Microsoft Defender that leads to local privilege escalation (LPE) to SYSTEM. The researcher, also known as Chaotic Eclipse, has been systematically dropping exploits for various Windows zero-day vulnerabilities after expressing discontent with how Microsoft treats researchers participating in its vulnerability disclosure programs.
Microsoft has been scrambling to address a wave of publicly disclosed flaws, including BlueHammer, RedSun, and UnDefend, which have already been exploited in attacks. The company patched GreenPlasma and YellowKey with the June 2026 Patch Tuesday updates. However, GreatXML currently has no assigned CVE identifier and no patch available, leaving BitLocker-protected systems exposed until Microsoft addresses the underlying mechanism.
The GreatXML exploit highlights a novel attack vector against full-disk encryption that relies on abusing recovery-mode functionality rather than traditional cryptographic weaknesses. As organizations increasingly depend on BitLocker to protect data on lost or stolen devices, this technique demonstrates that physical access combined with software logic flaws can still undermine encryption protections. Until Microsoft updates the WinRE or Defender offline scan process, administrators should consider additional physical security controls and monitor for unauthorized access to recovery partitions.
The GreatXML exploit, discovered by researcher NightmareEclipse, has been publicly released as a proof-of-concept across multiple repositories, including GitHub and independent Git hosting platforms, significantly lowering the barrier for opportunistic threat actors. The vulnerability exploits the Windows Recovery Environment (WinRE) state triggered by a Windows Defender Offline Scan, allowing an attacker with physical access to place crafted unattend.xml and Recovery directory files on the recovery partition and reboot into WinRE to spawn an administrator shell with full access to the encrypted volume—no login required if a prior offline scan was performed. The PoC was demonstrated on Windows 11 24H2, and no official patch has been issued at the time of publication.