"This was an accidental discovery, it took a total of 4 hours to find this," Chaotic Eclipse wrote after publishing a new BitLocker bypass dubbed GreatXML.
Chaotic Eclipse on discovery and timing
Security researcher Chaotic Eclipse (also known as Nightmare-Eclipse and MSNightmare) released GreatXML a day after publishing an exploit for Microsoft Defender. The researcher said the discovery was unintentional and noted a connection to the Windows Defender Offline Scan feature: "If you ever attempted to use Windows Defender Offline Scan, you're automatically vulnerable to a BitLocker bypass." Chaotic Eclipse also published procedural details in a Blogger post explaining how an attacker can reach a shell with unrestricted access to a BitLocker volume.
How GreatXML operates
The exploit, as described by Chaotic Eclipse, takes advantage of files placed on the recovery partition and the system's Windows Recovery Environment (WinRE). The attacker's steps are straightforward when followed exactly:
- Copy an XML file ("unattend.xml") and a recovery folder containing another XML file ("Recovery/WindowsRE/ReAgent.xml") to the root of the recovery partition.
- Reboot to Windows Recovery Environment (WinRE) by holding Shift while clicking Restart in the Windows power menu.
When both steps are followed correctly, Chaotic Eclipse reports, the result is "a shell spawned with unrestricted access to the BitLocker volume." The researcher added a caveat about the role of Defender's offline scan state: if Defender offline scan was never initiated then the attacker must either login and initiate it or find a way to boot into WinRE in an offline scan state — Chaotic Eclipse wrote, "I believe it should be very possible to do so without logging in."
Context: RoguePlanet and YellowKey
GreatXML was released shortly after another disclosure from Chaotic Eclipse — RoguePlanet, described as a zero-day flaw in Microsoft Defender that facilitates local privilege escalation (LPE) to SYSTEM and lets an attacker run arbitrary code or perform unauthorized actions. GreatXML is also the researcher's second BitLocker bypass following YellowKey (aka CVE-2026-45585). Microsoft released patches for YellowKey as part of Patch Tuesday updates this week, according to the same reporting.
What this means for technologists and end users
Technologists and security teams will watch two specifics: whether GreatXML can be reliably triggered without a prior Windows Defender Offline Scan initiation, and whether Microsoft issues a patch or guidance analogous to the recent fixes for YellowKey. End users and the general public are implicated directly by Chaotic Eclipse's statement that anyone who "ever attempted to use Windows Defender Offline Scan" is "automatically vulnerable to a BitLocker bypass," a brief but explicit link between using that Defender feature and the potential for compromise.
Whether GreatXML can be triggered without Defender Offline Scan
Chaotic Eclipse's post leaves one central technical question open: "I'm unsure if you can still trigger the bug without ever using the offline scan feature, because you can definitely." The researcher believes it should be possible to reach the necessary WinRE offline scan state without logging in, but does not provide a confirmed technique. That uncertainty is the narrow but consequential next fact to resolve: can GreatXML be executed against systems that have never run Defender's offline scan, or is prior use of that feature a prerequisite?
Chaotic Eclipse's release adds a second, different path to BitLocker bypasses into the public record within days of other high-severity disclosures. Whether Microsoft issues a targeted mitigation, patch, or operational guidance for GreatXML remains to be seen; meanwhile the unresolved question about the offline-scan dependency will determine how broadly the exploit can be applied.
