GreatXML Zero-Day Enables BitLocker Bypass Through Windows Defender Offline Scan

[harlan4096]

A newly disclosed zero-day vulnerability dubbed “GreatXML” is raising serious concerns across the Windows security ecosystem, as it enables a practical BitLocker bypass by abusing the Windows Defender Offline Scan mechanism and Windows Recovery Environment (WinRE).

The issue, published by a researcher known as “MSNightmare” (Nightmare Eclipse), demonstrates how systems that have previously initiated a Defender Offline Scan can be left in a persistently weakened state, allowing attackers with physical access to gain unrestricted access to encrypted volumes without authentication.

GreatXML Zero-Day Enables BitLocker Bypass

ccording to the publicly released proof-of-concept (PoC) and accompanying repository, the vulnerability hinges on how Windows handles recovery boot configurations and unattended setup files during offline scanning scenarios.

Specifically, attackers can place a crafted “unattend.xml” file alongside a modified Recovery directory at the root of the system’s recovery partition.

Continue Reading...