Security researcher Chaotic Eclipse (also known as Nightmare-Eclipse and MSNightmare) has publicly disclosed a new Windows BitLocker bypass technique dubbed GreatXML, which allows attackers to gain unrestricted access to BitLocker-protected volumes through the Windows Recovery Environment (WinRE).

According to the researcher, the flaw was discovered while investigating Windows recovery mechanisms and can be abused by placing specially crafted XML configuration files within the Windows Recovery Environment. If successfully triggered, the flaw results in a command shell being launched with unrestricted access to the encrypted BitLocker volume.

About the vulnerability

What can attackers do with the vulnerability?

An attacker with physical access to a vulnerable system can copy specially crafted XML configuration files to the Windows Recovery partition and then boot the system into the Windows Recovery Environment (WinRE).

By abusing recovery configuration mechanisms, the attacker may be able to trigger the launch of a command shell with unrestricted access to the BitLocker-protected drive, effectively bypassing encryption protections and accessing sensitive data. The vulnerability elevates risk for organizations that rely solely on TPM-based BitLocker Protection.

Attackers can exploit the vulnerability to:

• Gain unauthorized access to BitLocker-protected data
• Bypass full-disk encryption protections
• Gain access to sensitive corporate information stored on encrypted devices
• Steal data from lost, stolen, or physically accessible endpoints
• Gain access to confidential files, credentials, and locally stored corporate data
• Engage in forensic evasion and offline manipulation of protected systems

SharkStriker recommendations

To reduce the risk associated with BitLocker bypass techniques such as GreatXML, SharkStriker recommends implementing the following defensive measures:

• Implement TPM + PIN Protection: Avoid relying solely on TPM-based BitLocker protection. Configure TPM + PIN authentication to provide an additional security layer during system boot.
• Restrict Physical Access: Ensure corporate devices, servers, and workstations are physically secured to prevent unauthorized access to recovery partitions and offline recovery environments.
• Review Windows Recovery Environment Security: Limit unnecessary access to WinRE and ensure recovery mechanisms are configured according to organizational security policies.
• Monitor BitLocker Configuration Compliance: Audit BitLocker deployments across the environment to identify systems operating with weaker configurations or missing additional authentication controls.
• Protect High-Value Assets: Apply enhanced security controls to executive devices, privileged administrator workstations, servers, and systems containing sensitive information.
• Review Endpoint Security Controls: Monitor for unusual reboot activity, unauthorized recovery partition modifications, and attempts to access Windows Recovery Environment outside normal maintenance windows.
• Conduct Security Awareness Training: Educate IT administrators and security teams regarding emerging BitLocker bypass techniques and the risks associated with physical access attacks.
• Maintain Continuous Vulnerability Monitoring: Track Microsoft’s future advisories and updates for official guidance, patches, or CVE assignments related to GreatXML and other emerging BitLocker bypass techniques.