{"id":230194,"date":"2026-06-11T13:43:00","date_gmt":"2026-06-11T17:43:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/11\/new-greatxml-exploit-bypasses-windows-bitlocker-via-recovery-partition-xml-files\/"},"modified":"2026-06-11T14:35:29","modified_gmt":"2026-06-11T18:35:29","slug":"new-greatxml-exploit-bypasses-windows-bitlocker-via-recovery-partition-xml-files","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/11\/new-greatxml-exploit-bypasses-windows-bitlocker-via-recovery-partition-xml-files\/","title":{"rendered":"New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-greatxml-exploit-bypasses-windows.html\">New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/new-greatxml-exploit-bypasses-windows.html\">https:\/\/thehackernews.com\/2026\/06\/new-greatxml-exploit-bypasses-windows.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-11 13:43:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\ue804Ravie Lakshmanan\ue802Jun 11, 2026Endpoint Security \/ Vulnerability<br \/>\nSecurity researcher Chaotic Eclipse (aka Nightmare-Eclipse and MSNightmare) has released a new Windows BitLocker bypass dubbed GreatXML, a day after they published an exploit for Microsoft Defender.<\/p>\n<p>&#8220;This was an accidental discovery, it took a total of 4 hours to find this,&#8221; the researcher said in a post on Blogger. &#8220;If you ever attempted to use Windows Defender Offline Scan, you&#8217;re automatically vulnerable to a BitLocker bypass. I&#8217;m unsure if you can still trigger the bug without ever using the offline scan feature, because you can definitely.&#8221;<\/p>\n<p>The exploit works as follows &#8211;<\/p>\n<p>  Copy an XML file (&#8220;unattend.xml&#8221;) and a recovery folder containing another XML file (&#8220;Recovery\/WindowsRE\/ReAgent.xml) to the root of the recovery partition.<br \/>\n  Reboot to Windows Recovery Environment (WinRE) by holding Shift while clicking Restart in the Windows power menu.<\/p>\n<p>If every step is followed correctly, the result is a shell spawned with unrestricted access to the BitLocker volume.<\/p>\n<p>&#8220;If Defender offline scan was never initiated then you have to either login and initiate it yourself or figure out a way to boot into WinRE in offline scan state (I believe it should be very possible to do so without logging in) and follow steps above,&#8221; Chaotic Eclipse noted.<\/p>\n<p>The release of GreatXML comes not long after RoguePlanet, a zero-day flaw in Microsoft Defender that facilitates local privilege escalation (LPE) to SYSTEM, granting the attacker the ability to run arbitrary code or perform unauthorized actions.<\/p>\n<p>GreatXML is also the second BitLocker bypass released by Chaotic Eclipse after YellowKey (aka CVE-2026-45585), patches for which were released by Microsoft this week as part of Patch Tuesday updates.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files https:\/\/thehackernews.com\/2026\/06\/new-greatxml-exploit-bypasses-windows.html Publish Date: 2026-06-11&#8230;<\/p>\n","protected":false},"author":1,"featured_media":230195,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhqKyNLbT9WYm7m6ZsvIgv0mNbGJCrgEjUUXLbRZV9mmQUVi7jT9IiwlXh2kYKiMOrsCnJ-ZaoAK9GnL9jy6RHJELISIGFuLSZgsSYuclWFcPmItYL04pTVeA7cl_jy8L6RU4CVPypa6u24OH8hCwPL1g1tEVRczTV1YjZ5KUFGZc6DVw8Pdo_CFGXRTS-d\/s1600\/windows-bitlocker.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[31,27],"class_list":["post-230194","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230194"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=230194"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230194\/revisions"}],"predecessor-version":[{"id":230196,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230194\/revisions\/230196"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/230195"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=230194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=230194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=230194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}