GreatXML is a zero-day vulnerability disclosed by security researcher Chaotic Eclipse that enables bypassing BitLocker encryption on Windows systems. The vulnerability arises from Microsoft Defender's offline scan feature, which reboots the system into Windows Recovery Environment (WinRE) and leaves behind configuration artifacts on the recovery partition. By copying crafted files (unattend.xml and Recovery directory) to the recovery partition and rebooting into WinRE, an attacker can spawn a command shell with SYSTEM privileges, gaining unrestricted access to the BitLocker-protected volume. The exploit requires that the target machine has previously run Defender Offline Scan, a common scenario. Physical access or the ability to write to the recovery partition is necessary. There is no known patch or official fix at this time. Microsoft has publicly condemned the disclosure method and is working on understanding and mitigating the issue.

An attacker with brief physical access or the ability to write to the recovery partition on a Windows machine that has run Defender Offline Scan can bypass BitLocker encryption protections. This results in a SYSTEM-level shell in Windows Recovery Environment, granting unrestricted access to the encrypted volume without requiring user login. This compromises the confidentiality and integrity of data protected by BitLocker on affected systems.

No official patch or fix is currently available for this vulnerability. Microsoft is actively investigating and working on remediation. Until a patch is released, systems that have run Defender Offline Scan remain vulnerable. Mitigation options are limited; restricting physical access to devices and preventing unauthorized write access to the recovery partition may reduce risk. Monitor official Microsoft advisories for updates and apply patches promptly once available.