Back to Insights
Vulnerabilities4 min read13 June 2026

GreatXML: A BitLocker Bypass That Doesn't Quite Work — Yet

A pseudonymous researcher dropped an alleged Windows Recovery Environment exploit days after Patch Tuesday. A respected vulnerability analyst couldn't replicate it. The researcher is already hunting a workaround.

EF
Elena FischerThreat Intelligence Analyst
A close-up photoreal editorial photograph of a laptop computer open on a dark desk, the screen displaying a blue Windows

A researcher publishing under the names Nightmare Eclipse and Chaotic Eclipse released an alleged BitLocker bypass exploit called GreatXML on a Thursday in mid-2025, claiming it could unlock an encrypted Windows volume with no credentials required.

What GreatXML Claims to Do

The technique, as described in the researcher's now-deleted blog post, is deceptively simple. Copy two XML files — `unattend.xml` and `Recovery/WindowsRE/ReAgent.xml` — onto the Windows Recovery Environment (WinRE) partition. That partition lives outside the encrypted volume. Reboot into WinRE. On machines where Windows Defender Offline Scan had been previously run, the exploit allegedly spawns an unrestricted command shell with full access to the BitLocker-protected volume.

No password. No PIN. No recovery key.

If that worked exactly as described, it would be devastating. BitLocker exists to protect data on stolen or unattended devices. A bypass that requires no authentication strips away the entire guarantee.

Why the Claim Falls Apart — For Now

Vulnerability analyst Will Dormann tested GreatXML across three separate Windows 11 builds and could not reproduce the described behavior. His conclusion cuts to the heart of the problem: the CMD.EXE shell the exploit supposedly spawns only appears when the *next* Defender Offline Scan runs, not the prior one the researcher references.

That distinction is fatal to the exploit's core claim. Triggering a Windows Defender Offline Scan requires an authenticated, active Windows session with administrative privileges. Microsoft's own documentation confirms this — the scan demands elevated access and deliberately forces a reboot into WinRE so it can operate below the OS layer, targeting threats like rootkits that live in memory or the boot sector. An attacker who already has admin credentials and an active login has no need to bypass BitLocker. They already own the machine.

As Dormann put it plainly: if his read is correct, GreatXML as written requires exactly the access it claims to circumvent.

Nightmare Eclipse did not address Dormann's analysis point by point. Instead, the researcher posted publicly asking whether anyone knows of a method to trigger a Defender Offline Scan purely by editing `ReAgent.xml` — without logging in first. That is an open admission that the current version of the exploit has a gap, and that active work toward closing it is underway.

A Pattern Worth Watching

This is not the first time this researcher has made headlines. Nightmare Eclipse has published at least eight Windows zero-days in recent months. Many of those releases were timed deliberately to land just after Microsoft's monthly Patch Tuesday cycle — a calculated move that maximizes the window before Microsoft can issue a fix.

Two days before GreatXML dropped, the same researcher published RoguePlanet, an alleged privilege escalation zero-day in Windows Defender. Back-to-back releases following the same Patch Tuesday timing pattern suggest an organized, deliberate disclosure strategy rather than opportunistic dumping.

The researcher's original blog post on Blogger disappeared after publication; the researcher attributes the removal to Google. A GitHub repository hosting earlier proof-of-concept code was also taken down, a move the researcher blames on Microsoft. That latter action drew criticism from parts of the security community — GitHub has long served as a legitimate home for security research, and automated or pressure-driven takedowns sit in murky ethical territory.

What Defenders Should Take Away

Dormann's inability to replicate GreatXML does not close this story. Eclipse has demonstrated working exploits before. A flaw in today's writeup does not prevent a corrected version next week, or a separate researcher adapting the technique into something functional. The Verizon 2024 Data Breach Investigations Report found that exploitation of vulnerabilities as an initial access vector grew 180% year-over-year — a reminder that unverified or disputed claims can still evolve into genuine threats quickly.

This incident also highlights a subtler risk that organizations often miss: the gap between a published exploit and a validated one is shrinking. Security teams that wait for confirmed, patched vulnerabilities before adjusting controls are perpetually one iteration behind.

For organizations relying on BitLocker as their primary endpoint data-protection control — particularly those with field-deployed laptops, remote workers, or any device-loss exposure — the advice is specific. Audit which endpoints have had Windows Defender Offline Scans initiated previously. Review WinRE partition access controls. Confirm that BitLocker is paired with TPM-plus-PIN rather than TPM-only, which provides a meaningful additional barrier even if a WinRE-based attack vector is later confirmed. NIST SP 800-111, which covers storage encryption technologies for end-user devices, recommends layering authentication factors precisely because no single encryption control should be treated as absolute.

The Human Factor Nobody Is Talking About

The technical debate around GreatXML is genuine. But the broader pattern — a prolific researcher dropping zero-days on a predictable schedule, targeting the same OS repeatedly, and publicly crowdsourcing the missing pieces of an incomplete exploit — is a social engineering problem as much as a technical one. Security teams that track only CVE feeds miss this entirely.

Training staff to recognize and escalate emerging threat intelligence, even when that intelligence is ambiguous or unverified, is exactly the kind of behavior that security-awareness programs are designed to build. An analyst who knows to flag GreatXML to the security team before a patch exists is more valuable than one who waits for a vendor bulletin.

Organizations using BitLocker at scale should treat this as a watch-item now, not a wait-and-see. If a functional variant of this technique surfaces — whether from Nightmare Eclipse or someone building on the published research — the response window will be narrow. Preparation beats reaction every time.

How to stay ahead of unverified but evolving exploits

  • Audit BitLocker configurations now — confirm TPM-plus-PIN is enforced on all field-deployed and remote-worker endpoints, not TPM-only.
  • Add emerging, unpatched threat intelligence to your team's escalation workflow so analysts flag ambiguous disclosures before they become confirmed CVEs.
  • Run tabletop exercises simulating a device-loss scenario against a BitLocker-protected endpoint so your response plan is tested before an incident.

Train2Secure helps security teams build the habits and awareness that keep organizations one step ahead of threats that haven't been patched yet.

Start free — no card required

Frequently asked questions

Does GreatXML actually bypass BitLocker right now?

Based on testing by vulnerability analyst Will Dormann across three Windows 11 builds, the exploit as currently described does not work as claimed. The technique appears to require an authenticated admin session to trigger a Defender Offline Scan — which defeats the bypass's core premise. The researcher is actively looking for a way around that prerequisite.

Which Windows versions are potentially affected?

The researcher's claims target the Windows Recovery Environment (WinRE) present across Windows 10 and Windows 11 installations. Dormann's testing focused on three Windows 11 versions. No confirmed affected build has been identified, and Microsoft has not issued a CVE or advisory for GreatXML at this time.

What can organizations do right now to reduce risk?

Audit endpoints for previous Defender Offline Scan activity, restrict physical access to WinRE partitions where possible, and ensure BitLocker is configured with TPM-plus-PIN rather than TPM-only. Monitor Microsoft Security Response Center advisories for any official guidance as this situation develops.

Who is Nightmare Eclipse and why does the Patch Tuesday timing matter?

Nightmare Eclipse is a pseudonymous security researcher who has published at least eight Windows zero-days in recent months, often releasing disclosures in the days immediately following Microsoft's monthly Patch Tuesday update cycle. That timing maximizes the period before Microsoft can assess and patch the reported issue.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress