Security researcher known under the aliases Chaotic Eclipse, Nightmare-Eclipse and MSNightmare has published on GitHub a public proof-of-concept exploit called GreatXML, demonstrating a method of bypassing Windows BitLocker encryption. The technique relies on manipulating XML configuration files and booting into the Windows Recovery Environment (WinRE) to gain unrestricted access to the encrypted volume. The publication of the PoC means that the technical details of the attack are now available to a broad audience, although at the time of writing there is no independent verification of the method from Microsoft.
Exploitation mechanism
According to the description in the researcher’s blog and the public repository, the GreatXML attack consists of two key stages:
- Placing XML files on the recovery partition: the attacker copies the
unattend.xmlfile and theRecovery/WindowsRE/ReAgent.xmldirectory structure to the root of the system recovery partition. - Rebooting into the Windows Recovery Environment: the system is booted into WinRE — for example, by holding down the Shift key while clicking “Restart” in the Windows power menu.
According to the researcher, if these steps are performed correctly, a command shell opens with unrestricted access to the volume protected by BitLocker. It is important to emphasize that this claim is based solely on the researcher’s own materials and has not been confirmed by Microsoft or independent experts.
The role of Windows Defender Offline Scan
Chaotic Eclipse’s claim about a link between the vulnerability and the Windows Defender Offline Scan feature deserves separate attention. According to the researcher, systems on which Defender’s offline scan has been run at least once may be particularly susceptible to this bypass method. If an offline scan has never been initiated, the attacker would presumably need either to log into the system and start it manually, or to find a way to boot WinRE in offline scan mode. The researcher notes that in their view the latter is possible even without authentication. However, these assertions come from a single unverified source and should be treated with extreme caution.
Affected products and exploitation status
Based on the available information, the following components are potentially affected:
- Windows BitLocker — full-disk encryption
- Windows Recovery Environment (WinRE) — recovery environment
- Microsoft Defender Offline Scan — offline scanning feature
Exploitation status: public PoC available. There is currently no evidence of active exploitation in real-world attacks. No CVSS score has been published for GreatXML, and no CVE identifier has been assigned.
Context: researcher activity
GreatXML is not Chaotic Eclipse’s first publication related to BitLocker bypass. According to available information, the researcher previously published a bypass method called YellowKey. In addition, shortly before GreatXML, a tool named RoguePlanet was presented, described as a privilege escalation vulnerability in Microsoft Defender. However, no confirmations from authoritative sources are available for either of these tools, so their significance and effectiveness remain in doubt.
Impact assessment
If the GreatXML method indeed works as described, the potential consequences are serious: bypassing BitLocker means access to data on the encrypted disk, completely nullifying the protection offered by full-disk encryption. Those at highest risk include:
- Organizations that rely on BitLocker as the primary mechanism for protecting data on endpoints
- Scenarios involving physical access to the device — stolen or lost laptops
- Environments where the recovery partition is writable by non-privileged users
A significant limitation is that the attack requires the ability to write files to the recovery partition, which in a standard Windows configuration is available only to privileged users. This reduces the practical applicability of the method in remote attacks but does not eliminate the threat in cases of physical access or when combined with other privilege escalation vulnerabilities.
Recommendations for protection
Until Microsoft issues an official position and, potentially, a patch, it is advisable to take the following preventive measures:
- Restrict access to the recovery partition: ensure that the Recovery partition is not mounted and is not writable by regular users. You can check its current state using
diskpartormountvol. - Monitor the integrity of WinRE files: monitor for the appearance of unusual
unattend.xmlfiles and changes toReAgent.xmlon the recovery partition. - Restrict booting into WinRE: consider configuring UEFI/BIOS to limit alternative boot options, including setting a BIOS password.
- Strengthen physical device security: for critical systems, apply additional layers of protection — TPM with PIN, Secure Boot, and strict physical access control.
- Monitoring: configure alerts for events related to rebooting into WinRE and changes on the recovery partition via your SIEM.
Response priority is medium: a public PoC is available, but it requires local access and the ability to write to the system partition. Organizations for which BitLocker is a key element of data protection should immediately review access rights to the recovery partition and boot settings, and closely monitor for an official response from Microsoft on this issue.
