Security researcher Chaotic Eclipse (aka Nightmare-Eclipse and MSNightmare) has released a new Windows BitLocker bypass dubbed GreatXML, a day after they published an exploit for Microsoft Defender.
“This was an accidental discovery, it took a total of 4 hours to find this,” the researcher said in a post on Blogger. “If you ever attempted to use Windows Defender Offline Scan, you’re automatically vulnerable to a BitLocker bypass. I’m unsure if you can still trigger the bug without ever using the offline scan feature, because you can definitely.”
The exploit works as follows –
- Copy an XML file (“unattend.xml”) and a recovery folder containing another XML file (“Recovery/WindowsRE/ReAgent.xml) to the root of the recovery partition.
- Reboot to Windows Recovery Environment (WinRE) by holding Shift while clicking Restart in the Windows power menu.
If every step is followed correctly, the result is a shell spawned with unrestricted access to the BitLocker volume.
“If Defender offline scan was never initiated then you have to either login and initiate it yourself or figure out a way to boot into WinRE in offline scan state (I believe it should be very possible to do so without logging in) and follow steps above,” Chaotic Eclipse noted.
The release of GreatXML comes not long after RoguePlanet, a zero-day flaw in Microsoft Defender that facilitates local privilege escalation (LPE) to SYSTEM, granting the attacker the ability to run arbitrary code or perform unauthorized actions.
GreatXML is also the second BitLocker bypass released by Chaotic Eclipse after YellowKey (aka CVE-2026-45585), patches for which were released by Microsoft this week as part of Patch Tuesday updates.
