Overview
- The researcher Chaotic Eclipse published a public proof-of-concept called GreatXML on Thursday, June 11, 2026, showing a working BitLocker bypass that spawns a SYSTEM shell in the Windows Recovery Environment.
- The exploit leverages configuration files left by Microsoft Defender offline scans and how WinRE processes unattend.xml and Recovery/WindowsRE/ReAgent.xml on the recovery partition to elevate privileges.
- An attacker needs only the ability to copy two files to the recovery partition or brief physical access to a device that has ever run a Defender offline scan to execute the attack.
- Microsoft’s security team says it is investigating and building fixes but, at the time of reporting, no specific patch for GreatXML had been released and MSRC called the public dumps irresponsible.
- Defenders should tighten physical controls, enable stronger BitLocker protections such as TPM plus pre-boot PIN, review WinRE and recovery-partition settings, and watch vendor advisories because public PoCs raise short-term risk.