Ethical Hacking News
A critical BitLocker bypass vulnerability has been discovered by researcher Chaotic Eclipse, allowing attackers to gain SYSTEM privileges on Windows systems in just four hours of research. As the latest disclosure in a string of zero-day vulnerabilities, GreatXML highlights the importance of staying up-to-date with security patches and demonstrates the ongoing cat-and-mouse game between researchers and vendors over vulnerability reporting practices.
A new zero-day vulnerability, GreatXML, has been discovered that bypasses BitLocker and grants SYSTEM privileges on Windows systems.The vulnerability was found by researcher Pierluigi Paganini within four hours of conducting extensive research.The exploit works by exploiting configuration artifacts left behind by Microsoft Defender's offline scan feature.The vulnerability allows an attacker to copy specific XML files, granting them SYSTEM privileges and access to BitLocker-protected volumes.The implications are significant, as the vulnerability can be triggered during regular offline scans, increasing the likelihood of a machine being vulnerable.A limitation of the exploit is that it requires Microsoft Defender Offline Scan to have already been used, making it harder to trigger if not.The researcher has acknowledged they haven't fully investigated all possible methods and isn't currently interested in digging deeper.
Chaotic Eclipse has done it again, revealing a new zero-day vulnerability that bypasses BitLocker and grants SYSTEM privileges on Windows systems. The newly disclosed exploit, dubbed GreatXML, was discovered by researcher Pierluigi Paganini, also known as Nightmare Eclipse, within four hours of conducting extensive research.
The technical mechanism behind GreatXML is straightforward. Microsoft Defender's offline scan feature, which reboots the system into Windows Recovery Environment (WinRE) to scan for malware outside the running OS, leaves behind configuration artifacts that persist on the recovery partition. These artifacts can be exploited by an attacker who has physical access to the target machine or can write to the recovery partition through any other means.
Once triggered, GreatXML exploits the way WinRE processes XML files during the boot sequence, allowing an attacker to copy "unattend.xml" and "Recovery" directory to the root of the recovery partition. By doing so, a shell with full SYSTEM privileges will be spawned, rendering BitLocker-protected volumes accessible.
The vulnerability's implications are significant, as Defender prompts users to run offline scans regularly, particularly after detecting threats it couldn’t remove while Windows was running. This increases the likelihood that a machine has already been scanned and is therefore vulnerable to GreatXML.
However, Nightmare Eclipse points out one limitation: the exploit path is easier if Microsoft Defender Offline Scan has already been used. If not, an attacker may need to start the scan manually or find another way to boot the system into the required recovery mode.
The researcher does acknowledge that they haven’t fully investigated all possible methods and aren't currently interested in digging deeper. As a result, there are some unanswered questions surrounding this vulnerability.
GreatXML is the latest vulnerability disclosed by Nightmare Eclipse, following BlueHammer, UnDefend, and RedSun. The disclosures are believed to stem from a dispute with Microsoft over the vulnerability reporting process.
Microsoft has responded by criticizing Chaotic Eclipse for publicly disclosing vulnerabilities without proper notification, claiming that it puts their customers at unnecessary risk. However, Coordinated Vulnerability Disclosure (CVD) is the standard practice where a researcher notifies a vendor privately, gives them time to fix the issue, and then goes public.
In recent weeks, Microsoft has disclosed several zero-day vulnerabilities, including RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. The company claims that this partnership with researchers allows them to make updates to impacted services before proof-of-concept code can make it into the hands of bad actors.
The GreatXML vulnerability has significant implications for Windows users, highlighting the need for vigilance in monitoring security patches and updating systems promptly. As researchers like Nightmare Eclipse continue to expose vulnerabilities, it's essential for organizations to prioritize their security posture and maintain a proactive approach to mitigating these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-BitLocker-Bypass-Vulnerability-Understanding-the-Impact-of-GreatXML-ehn.shtml
https://securityaffairs.com/193516/security/chaotic-eclipse-strikes-again-new-zero-day-unlocks-bitlocker-in-four-hours-of-research.html
Published: Thu Jun 11 07:54:31 2026 by llama3.2 3B Q4_K_M
