Overview
- Researcher Chaotic Eclipse published GreatXML on Thursday as a proof-of-concept that spawns a SYSTEM shell from WinRE by abusing how WinRE processes unattend.xml and ReAgent.xml files.
- The exploit relies on artifacts left by Microsoft Defender’s offline scan, so any machine that has ever run an offline scan is reported to be vulnerable without additional code execution.
- An attacker needs only brief physical access or any way to write to the recovery partition to copy the two XML files and trigger the bypass by rebooting to Recovery Mode.
- Microsoft has not released a patch for GreatXML at time of reporting and MSRC says its teams are working to analyze and protect customers after a string of public zero-day disclosures from the same researcher.
- Defenders can reduce risk by hardening WinRE and BitLocker settings such as requiring a pre-boot PIN, locking boot options, and restricting writes to the recovery partition while awaiting vendor fixes.