GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender

Attackers can now completely bypass BitLocker drive encryption on Windows systems thanks to a newly disclosed zero-day vulnerability. Dubbed GreatXML, this flaw requires physical access and exploits an obscure, yet common, side effect of Windows Defender Offline Scan. Significantly, it needs no login and works under certain conditions.

The exploit was reportedly discovered accidentally during a roughly four-hour research session and has been publicly released as a proof-of-concept (PoC) on multiple repositories.

GreatXML is a BitLocker security feature bypass that exploits the Windows Recovery Environment (WinRE) state triggered by Microsoft Defender’s Offline Scan feature. When a user or an attacker initiates a Windows Defender Offline Scan on a target machine, the system reboots into a special pre-boot recovery environment to perform the scan.

The vulnerability exploits this transition: if unattend.xml and a crafted Recovery directory are placed in the root of the recovery partition, and the machine is rebooted into WinRE, a shell with unrestricted access to the BitLocker-protected volume spawns automatically.

The screenshots released alongside the PoC show an active X:WindowsSystem32 administrator shell during the Defender Offline Scan session, with manage-bde -status C: confirming the drive is 100% encrypted using XTS-AES 128 with Protection Status: On yet the volume is fully accessible and unlocked.

GreatXML BitLocker Bypass 0-Day Exploit

The vulnerability has two distinct exploitation paths depending on whether the victim machine has previously run a Defender Offline Scan:

• Automatic exploitation (no login needed): If the victim ever initiated a Defender Offline Scan, the machine is immediately vulnerable. An attacker with physical access simply copies unattend.xml and the Recovery directory to the recovery partition root, then reboots into WinRE via Shift + Restart.
• Requires attacker-initiated scan: If no prior offline scan was performed, an attacker must either log in and trigger the scan themselves or find a method to boot the machine into WinRE in offline scan state without authentication, which the researcher notes is likely achievable.

This closely mirrors the attack model of the recently patched YellowKey (CVE-2026-45585) BitLocker bypass, which also weaponized WinRE to access encrypted volumes through physical access.

Any Windows system with BitLocker enabled that has ever used or been subjected to a Windows Defender Offline Scan is potentially vulnerable.

The attack works regardless of whether BitLocker is configured with TPM-only key protection, which provides no PIN barrier at boot. The PoC was demonstrated on Windows 10.0.26100.1 (Windows 11 24H2).

No official patch has been issued for GreatXML at the time of publication. The GreatXML PoC has been published across multiple repositories, including GitHub and independent Git hosting platforms, by the researcher known as NightmareEclipse / MSNightmare.

The public availability of the exploit code significantly lowers the barrier for opportunistic threat actors, particularly those targeting high-value systems in scenarios such as laptop theft, insider threats, or supply chain compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.