www.it-connect.fr
Microsoft Fixes YellowKey, but GreatXML Zero-Day Bypasses BitLocker
While Microsoft patched the YellowKey flaw during Patch Tuesday of june 2026, researcher Nightmare Eclipse has published another zero-day that can also bypass BitLocker. Here’s what we know about this zero-day, dubbed GreatXML.
He is not stopping anytime soon! Researcher Nightmare Eclipse disclosed the RoguePlanet flaw just hours after Microsoft rolled out Patch Tuesday de juin 2026. But apparently, he still had a few more surprises in store: on June 11, 2026, he revealed another flaw exploiting Microsoft Defender to bypass BitLocker encryption.
In fact, the method described by Nightmare Eclipse abuses a weakness in Microsoft Defender’s offline scanning feature. If an offline scan is initiated on the victim’s Windows machine, the door begins to open. But for this technique to work, specific files must be placed at the root of the machine’s recovery partition:
- A configuration file
unattend.xml. - A directory named
Recovery(which contains theWindowsREtree).
Once these elements are in place, all that remains is to force the machine to reboot into the WinRE environment using the classic method of holding down the Shift key while clicking the restart option (from the Start menu). If the configuration is correctly read by the system, the GreatXML technique triggers a Command Prompt window that provides full, unrestricted access to the BitLocker-protected volume.
Reminder: an unattend.xml file is a answer file used during Windows installation to automate the system’s initial configuration.
GreatXML: Two Scenarios Described by the Researcher
Reading the GreatXML repository published by Nightmare Eclipse highlights two distinct scenarios for exploiting this vulnerability on a Windows machine. "If you have ever tried using Windows Defender’s offline scan, you are automatically exposed to a BitLocker bypass.", he explains.
So there are two scenarios:
- First scenario: if a Defender offline scan has already been run at least once on the victim machine, no login is required; the machine is automatically vulnerable! In that case, simply dropping the right files and rebooting into WinRE is enough to get a terminal running as SYSTEM.
- Second scenario: if the offline scan has never been triggered on the machine before, the attacker must already be logged into the Windows session in order to initiate it once themselves. This is a necessary step before moving on to the next phase.
The GitHub repository also includes an example unattend.xml file and a Recovery/WindowsRE folder with an XML file. I have not tested it myself, but all the exploits previously published by Nightmare Eclipse worked... However, like YellowKey, exploiting GreatXML requires physical access to the machine.
