At a glance: The GreatXML exploit is supposed to bypass BitLocker encryption on the WinRE partition, but cannot currently be reproduced as described on Windows 11.
A security researcher published an exploit named GreatXML that is intended to bypass BitLocker encryption by exploiting the Windows Recovery Environment (WinRE). However, initial tests by a recognized security expert suggest that the exploit does not function under the documented conditions.
A researcher operating under the pseudonym Nightmare Eclipse published an exploit on Thursday that is claimed to bypass BytLocker on locked devices. The attack is based on copying two XML files (unattend.xml and Recovery/WindowsRE/ReAgent.xml) to the unencrypted WinRE partition and then restarting the system in WinRE mode. Following a successful attack, a shell with unrestricted access to the BitLocker volume is supposed to spawn.
Will Dormann, an experienced security analyst, was unable to reproduce the exploit on three Windows 11 versions. According to his analysis, the attack only functions if a Microsoft Defender offline scan has been previously performed. The problem: such a scan requires both a logged-in user and administrator rights. Anyone who already possesses these access rights can simply disable BitLocker and does not need an exploit.
The concept of a BitLocker bypass only makes practical sense if an attacker wants to gain access to an encrypted drive without user credentials — for example, in the case of a stolen laptop. The requirement to log in first eliminates this advantage.
Nightmare Eclipse subsequently sought methods on social media to trigger a Defender offline scan solely by modifying the ReAgent.xml file. This indicates that he is working on a functioning variant of the exploit. His original blog post as well as his GitHub repository containing earlier zero-day exploits have since been removed — the researcher attributes this to Google and Microsoft respectively, which has attracted criticism from the security community.
Nightmare Eclipse has published a total of eight alleged zero-day exploits in Windows components and justifies his disclosure strategy with personal accusations against Microsoft.
Source: www.csoonline.com · Published June 12, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.