All stories
highExploited Vulnerabilities

GreatXML Exploit Bypasses BitLocker via Microsoft Defender's Offline Scan

A newly disclosed exploit named GreatXML allows attackers to bypass Windows BitLocker encryption by exploiting a vulnerability in Microsoft Defender's offline scan functionality. This attack grants SYSTEM privileges in Recovery Mode, posing significant risks for any Windows machine that has initiated an offline scan with Defender. Immediate action is recommended: disable or avoid using the offline scan feature until a patch is available.

Harith Dilshan·Jun 11, 2026·3 min read·Primary source

Summary

A security researcher known as Nightmare Eclipse has disclosed a critical exploit named GreatXML that bypasses BitLocker encryption on Windows systems by exploiting a vulnerability in Microsoft Defender's offline scan functionality. This exploit, which grants SYSTEM privileges when executed from Recovery Mode, affects any system where an offline scan was initiated at least once. The discovery follows closely on the heels of another zero-day flaw targeting Microsoft Defender, highlighting ongoing vulnerabilities within Microsoft's security products.

What Happened

GreatXML is a proof-of-concept (PoC) exploit that allows attackers to bypass BitLocker encryption and gain unrestricted access to protected volumes by exploiting a vulnerability in Microsoft Defender's offline scan functionality. The exploit works by copying specific files to the recovery partition of a Windows machine, then rebooting into Recovery Mode. Once there, SYSTEM privileges are granted, effectively nullifying BitLocker's protection.

How the Attack Works

The attack begins with the initiation of an offline scan using Microsoft Defender on any Windows system. This action alone makes the system vulnerable to GreatXML. The exploit involves copying two key files-an XML file and a Recovery folder-to the root of the computer's recovery partition. After rebooting into Recovery Mode by holding Shift while clicking Restart, the attacker gains SYSTEM-level access.

Technical Details

The PoC code for GreatXML includes an unattend.xml file and a Recovery directory that must be copied to the recovery partition. The system is then rebooted into Windows Recovery Environment (WinRE) using Shift + Restart. If executed correctly, this results in unrestricted access to the BitLocker-protected volume.

Affected Products

All Windows machines are potentially affected if they have initiated an offline scan with Microsoft Defender at any point. This vulnerability underscores a critical security risk for systems relying on BitLocker for encryption protection.

Exploitation Status

GreatXML has been publicly disclosed and is actively exploitable. The exploit was released just one day after another zero-day flaw in Microsoft Defender, indicating a pattern of vulnerabilities within the software.

Indicators of Compromise

The primary indicator of compromise involves unauthorized access to BitLocker-protected volumes from Recovery Mode with SYSTEM privileges. Monitoring for unexpected changes or access patterns during recovery operations could help detect potential exploitation attempts.

Detection Opportunities

Defenders can mitigate risk by monitoring and controlling the use of Microsoft Defender's offline scan feature. Disabling this functionality until a patch is available may prevent systems from becoming vulnerable to GreatXML.

Timeline

  • Recent Disclosure: Nightmare Eclipse released GreatXML shortly after disclosing another zero-day flaw in Microsoft Defender.
  • Patch Status: As of now, no official patch has been released for this vulnerability.

Why This Matters for Defenders

The discovery of GreatXML highlights the critical importance of promptly addressing vulnerabilities within security software. The exploit's ability to bypass BitLocker encryption poses a significant threat, emphasizing the need for immediate defensive measures and vigilance in monitoring system activities related to recovery operations.

What Remains Unclear

While the technical details of the exploit are known, it remains unclear how widespread its exploitation might be. Additionally, the timeline for an official patch from Microsoft is not yet confirmed.

Defender Guidance

  1. Disable Offline Scans: Temporarily disable or avoid using Microsoft Defender's offline scan feature until a security update is available.
  2. Monitor Recovery Operations: Implement monitoring to detect unauthorized access during recovery operations.
  3. Stay Informed: Keep abreast of updates from Microsoft regarding patches for this vulnerability.

A working proof-of-concept is published at https://github.com/MSNightmare/GreatXML.

Sources

  1. https://www.securityweek.com/greatxml-zero-day-exploit-bypasses-bitlocker/
  2. https://github.com/MSNightmare/GreatXML
#ExploitedVulnerabilities#h4rithd#news#HarithDilshan#ExploitedVulnerabilities#CyberSecurity#InfoSec#ThreatIntel
Harith Dilshan

Harith Dilshan

- Offensive Security Engineer | Ethical Hacker | Penetration Tester -

Related reading

criticalExploited Vulnerabilities

Unauthenticated File Manipulation Flaw in Splunk Enterprise Exposes Critical Risk

Jun 13, 2026 · 3 min readhighExploited Vulnerabilities

U.S. CISA Mandates Immediate Patching of Exploited Ivanti Sentry Vulnerability

Jun 12, 2026 · 4 min readhighExploited Vulnerabilities

Microsoft Fixes Critical Zero-Days Allowing SYSTEM Privileges and BitLocker Bypass

Jun 10, 2026 · 2 min read