New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files

Security researcher Chaotic Eclipse (aka Nightmare-Eclipse and MSNightmare) has released a new Windows BitLocker bypass dubbed GreatXML, a day after they published an exploit for Microsoft Defender.

"This was an accidental discovery, it took a total of 4 hours to find this," the researcher said in a post on Blogger. "If you ever attempted to use Windows Defender Offline Scan, you're automatically vulnerable to a BitLocker bypass. I'm unsure if you can still trigger the bug without ever using the offline scan feature, because you can definitely."

The exploit works as follows -

• Copy an XML file ("unattend.xml") and a recovery folder containing another XML file ("Recovery/WindowsRE/ReAgent.xml") to the root of the recovery partition.
• Reboot to Windows Recovery Environment (WinRE) by holding Shift while clicking Restart in the Windows power menu.

If every step is followed correctly, the result is a shell spawned with unrestricted access to the BitLocker volume.

"If Defender offline scan was never initiated then you have to either login and initiate it yourself or figure out a way to boot into WinRE in offline scan state (I believe it should be very possible to do so without logging in) and follow steps above," Chaotic Eclipse noted.

In a post on Mastodon, security researcher Will Dormann opined the steps to reproduce GreatXML as "flawed," adding triggering a Microsoft Defender Offline Scan requires a user to be both logged in to Windows and have admin credentials, at which point it's trivial to turn off BitLocker anyway.

"The writeup for GreatXML suggests that the prerequisite is that Windows Defender Offline has been executed at some point in the past," Dorman added. "And that after planting two files in WinRE, all you need to do is [Shift]-reboot into WinRE, and Windows will automatically go into Microsoft Defender Offline scan mode. But this is not the case in any of the 3 lineages of Win11 that I have handy."

The release of GreatXML comes not long after RoguePlanet, a zero-day flaw in Microsoft Defender that facilitates local privilege escalation (LPE) to SYSTEM, granting the attacker the ability to run arbitrary code or perform unauthorized actions.

GreatXML is also the second BitLocker bypass released by Chaotic Eclipse after YellowKey (aka CVE-2026-45585), patches for which were released by Microsoft this week as part of Patch Tuesday updates.