"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested

The researcher operating as Nightmare Eclipse (also tracked as Chaotic Eclipse) published GreatXML on 11 June — a working proof-of-concept that bypasses BitLocker full-volume encryption and spawns a SYSTEM command prompt inside the Windows Recovery Environment (WinRE), with no CVE assigned and no Microsoft patch available (SecurityWeek, 2026-06-11). The technique places a crafted unattend.xml at the root of the recovery partition plus a second malformed XML under Recovery/, then reboots into WinRE; the Microsoft Defender Offline scan path processes the attacker-controlled XML while the volume is unlocked. Per the researcher, "any Windows machine becomes vulnerable to GreatXML as soon as Defender's offline scanning is initiated" — i.e. the bypass arms itself once an offline scan has ever run on the host (SecurityWeek, 2026-06-11). Independent researcher Will Dormann disputes the practical severity, noting that triggering the prerequisite Defender Offline scan requires an existing Windows logon with admin credentials — an attacker in that position could already disable BitLocker outright (The Register, 2026-06-11). NCSC-CH is tracking the disclosure as part of the same researcher's zero-day series (BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, RoguePlanet — RoguePlanet covered 2026-06-11) (NCSC-CH CSH, 2026-06-11). Maps to T1542.001 (Pre-OS Boot) territory: code execution from the recovery path while the BitLocker-protected volume is mounted.

Why it matters to us: evil-maid and stolen-laptop scenarios against BitLocker-protected fleets get cheaper where an offline scan has previously run. Until a patch lands: audit recovery-partition contents for unexpected unattend.xml/ReAgent.xml modifications, require TPM+PIN pre-boot authentication on high-value mobile assets, and weigh reagentc /disable on machines where recovery capability is dispensable.