Security researcher Chaotic Eclipse, known in the cybersecurity community as Nightmare-Eclipse and MSNightmare, has unveiled a new Windows BitLocker bypass tool named GreatXML. This announcement follows closely on the heels of a previously disclosed exploit targeting Microsoft Defender.
Details of the Discovery
In a candid post on Blogger, Chaotic Eclipse shared insights into the discovery process, noting, “This was an accidental discovery, it took a total of 4 hours to find this.” The researcher highlighted a critical vulnerability: users who have utilized the Windows Defender Offline Scan feature are automatically susceptible to this BitLocker bypass. However, the exact conditions under which the bug can be triggered without using the offline scan remain uncertain.
How the Exploit Works
The exploit operates through a straightforward sequence of actions:
- Copy an XML file named “unattend.xml” along with a recovery folder containing another XML file (“Recovery/WindowsRE/ReAgent.xml”) to the root of the recovery partition.
- Reboot the system into the Windows Recovery Environment (WinRE) by holding the Shift key while selecting Restart from the Windows power menu.
When executed correctly, these steps yield a shell with unrestricted access to the BitLocker volume.
Chaotic Eclipse elaborated on the exploit’s nuances, stating, “If Defender offline scan was never initiated, then you have to either log in and initiate it yourself or find a way to boot into WinRE in offline scan state. I believe it should be very possible to do so without logging in and follow the steps above.”
Context of the Release
The introduction of GreatXML is particularly noteworthy as it follows the recent revelation of RoguePlanet, a zero-day vulnerability in Microsoft Defender that allows local privilege escalation (LPE) to SYSTEM. This flaw empowers attackers to execute arbitrary code or engage in unauthorized activities.
GreatXML marks the second BitLocker bypass released by Chaotic Eclipse, following the earlier exploit known as YellowKey (also referred to as CVE-2026-45585). Microsoft has already addressed this vulnerability with patches issued during the recent Patch Tuesday updates.
