Researcher Discloses GreatXML Exploit That Bypasses BitLocker via Recovery Partition
Just the facts

Researcher Discloses GreatXML Exploit That Bypasses BitLocker via Recovery Partition

Summary

A security researcher has released GreatXML, a technique that can circumvent Windows BitLocker encryption by exploiting XML files on the recovery partition, particularly after using Defender Offline Scan.

A security researcher known as Chaotic Eclipse has published a new method, dubbed GreatXML, that can bypass Windows BitLocker encryption. The technique leverages XML files placed on the recovery partition and requires the system to have run a Windows Defender Offline Scan.

The exploit involves copying an "unattend.xml" file and a recovery folder containing "Recovery/WindowsRE/ReAgent.xml" to the root of the recovery partition, then rebooting into the Windows Recovery Environment (WinRE) by holding Shift while selecting Restart. When executed correctly, the process spawns a command shell with unrestricted access to the encrypted volume.

"If you ever attempted to use Windows Defender Offline Scan, you're automatically vulnerable to a BitLocker bypass," the researcher wrote in a blog post. "If Defender offline scan was never initiated then you have to either login and initiate it yourself or figure out a way to boot into WinRE in offline scan state and follow steps above."

GreatXML follows earlier disclosures by the same researcher, including a zero-day flaw in Microsoft Defender that allowed local privilege escalation and a prior BitLocker bypass named YellowKey (CVE-2026-45585), for which Microsoft issued patches in its recent Patch Tuesday updates.

FL Plus

Read the full story with FL Plus

Unlimited news plus the analysis behind every headline.

Unlimited news feed
See why each story scored
Full fact-check details