A researcher published a Windows BitLocker bypass called GreatXML on June 11, 2026. Hours later, a second researcher argued the documented reproduction steps fail to hold up on multiple Windows 11 versions.
A security researcher published a BitLocker bypass called GreatXML on June 11, 2026, and another researcher, Will Dormann, posted a same-day critique calling the documented reproduction steps "flawed." The collision is the story: not a confirmed vulnerability, but a live, unresolved dispute over whether the attack chain actually works in the wild.
GreatXML was disclosed by the researcher known online as Chaotic Eclipse (also Nightmare-Eclipse and MSNightmare), one day after they published a separate Microsoft Defender exploit, according to The Hacker News' summary of the disclosure. The Hacker News is reporting from the researcher's own Blogger post, and the original technical write-up has not been independently reproduced in the source material available.
The researcher's framing of the discovery is part of the news. Per the same Hacker News coverage, the researcher describes finding the chain by accident and says the full bypass took roughly four hours to assemble. That self-disclosure framing positions the work as opportunistic, not as a long-planned campaign.
The mechanism, as summarized by The Hacker News: an attacker with local access copies unattend.xml and a recovery folder containing Recovery\WindowsRE\ReAgent.xml to the root of the recovery partition, then reboots into the Windows Recovery Environment using Shift+Restart from the Windows power menu. The reported result is a shell with unrestricted access to the BitLocker volume.
The reported trigger condition is narrow. The researcher says the bug appears to require that Windows Defender Offline Scan has been run at least once on the target machine, and acknowledges being uncertain whether the chain can fire without that history while still believing it can, per The Hacker News.
Dormann's pushback targets the preconditions the chain depends on. Per the same Hacker News coverage, Dormann argues that running Defender Offline Scan in the first place requires an admin login on the machine, and an attacker with admin credentials plus write access to the recovery partition has already crossed a threshold at which BitLocker can simply be disabled. Dormann also reports that the claim WinRE will automatically enter Defender Offline Scan mode failed to reproduce on three Windows 11 lineages he tested.
That combination of critiques reframes the practical exposure story. If the documented preconditions already require administrative control of the machine, the bypass is not a path from "low-privileged user" to "encrypted volume." It is, at most, a path from "already-admin" to "BitLocker disabled more cleverly." The second framing is what IT defenders should plan around; the first is the headline many readers will see.
What to watch next: a Microsoft Security Response Center advisory or CVE assignment for the WinRE XML attack surface, an independent reproduction from a third party, and any update from the original researcher on the trigger-condition question. Until at least one of those lands, GreatXML is best treated as a published claim under active dispute, not a confirmed bypass.