Full Report
Security researcher Chaotic Eclipse (aka Nightmare-Eclipse and MSNightmare) has released a new Windows BitLocker bypass dubbed GreatXML, a day after they published an exploit for Microsoft Defender. "This was an accidental discovery, it took a total of 4 hours to find this," the researcher said in a post on Blogger. "If you ever attempted to use Windows Defender Offline Scan, you're
Analysis Summary
Based on the article provided, here is a summary of the security research regarding the "GreatXML" BitLocker bypass.
# Vulnerability: GreatXML BitLocker Bypass via Recovery Partition
## CVE Details
- **CVE ID:** Not yet assigned (Disclosed as a new finding by researcher Chaotic Eclipse).
- **CVSS Score:** N/A (Likely High, given it results in unrestricted volume access).
- **CWE:** CWE-287 (Improper Authentication) or CWE-641 (Improper Control of File Names for Files under a Temporary Directory).
## Affected Systems
- **Products:** Microsoft Windows.
- **Versions:** Not explicitly listed, but implies current versions of Windows 10/11 using BitLocker and WinRE.
- **Configurations:** Systems where "Windows Defender Offline Scan" has been initiated or can be triggered.
## Vulnerability Description
The "GreatXML" vulnerability is a bypass of BitLocker encryption that leverages the Windows Recovery Environment (WinRE). The flaw involves placing specific XML files (`unattend.xml` and `ReAgent.xml`) into the recovery partition. When the system is booted into WinRE—specifically in a state associated with a Defender Offline Scan—the operating system processes these files in a way that allows the spawning of a shell with unrestricted access to the encrypted BitLocker volume.
## Exploitation
- **Status:** PoC available (Released by researcher "Chaotic Eclipse" via GitHub).
- **Complexity:** Medium (Requires file placement on the recovery partition and specific boot triggers).
- **Attack Vector:** Physical / Local (Requires the ability to modify the recovery partition and reboot the device).
## Impact
- **Confidentiality:** High (Full access to encrypted data on the BitLocker volume).
- **Integrity:** High (Ability to modify system files and data without authorization).
- **Availability:** High (Potential for system disruption or data deletion).
## Remediation
### Patches
- **Status:** No specific patch for GreatXML is mentioned in the article. Microsoft released patches for a separate BitLocker vulnerability (CVE-2026-45585/YellowKey) in June 2026, but GreatXML is described as a newer discovery.
### Workarounds
- **Disable WinRE:** Disabling the Windows Recovery Environment (`reagentc /disable`) may prevent the exploit from being triggered.
- **Restrict Physical Access:** Since the exploit requires manipulating physical partitions or local boot sequences, securing physical access to devices is critical.
- **TPM + PIN:** Using BitLocker with a TPM + PIN protector (rather than TPM-only) can provide an additional layer of protection against boot-time bypasses.
## Detection
- **Indicators of Compromise:**
- Presence of unexpected `unattend.xml` files in the root of the recovery partition.
- Presence of `ReAgent.xml` in `Recovery/WindowsRE/`.
- **Detection Methods:** Monitor for unauthorized modifications to the Recovery Partition or the creation of XML files in system-reserved areas.
## References
- **Researcher Blog:** hxxps[://]deadeclipse666[.]blogspot[.]com/2026/06/greatxml-bitlocker-that-seems-to-only.html
- **PoC Repository:** hxxps[://]github[.]com/MSNightmare/GreatXML
- **News Source:** hxxps[://]thehackernews[.]com/2026/06/new-greatxml-exploit-bypasses-windows.html