GreatXML — bypassing BitLocker via Recovery partition XML

Colleagues, a security alert: an exploit named GreatXML has been discovered that circumvents BitLocker.
Chaotic Eclipse demonstrated that copying unattend.xml and Recovery/WindowsRE/ReAgent.xml to the root of the recovery partition and booting into WinRE (Shift+Restart) results in a shell with access to BitLocker volumes.
The vulnerability is linked to Windows Defender Offline Scan: if it has run, the bypass succeeds; other triggers may exist.
This is the author’s second bypass after YellowKey; YellowKey patches have been released.
I recommend applying updates, restricting access to the recovery partition and monitoring WinRE boot activity.
Why this matters: a local encryption bypass endangers data.
How do you protect the recovery partition and WinRE access?
#cybersecurity #BitLocker #Windows


Latest comments
No comments yet.