GreatXML was disclosed June 10, 2026 with a public PoC. No CVE has been assigned and no official Microsoft patch exists at time of writing. The June 2026 Patch Tuesday addresses related CVEs (CVE-2026-45585, CVE-2026-50507) but not GreatXML directly. All BitLocker-enabled Windows 10/11 endpoints should be treated as at-risk.
What Is GreatXML?
On June 10, 2026, independent security researcher NightmareEclipse (GitHub: @MSNightmare) publicly disclosed a zero-day technique dubbed GreatXML. The technique enables an attacker with brief physical access to any BitLocker-encrypted Windows 10 or Windows 11 machine to obtain a SYSTEM-level shell and read the fully-encrypted OS volume — without knowing the password, BitLocker recovery key, or PIN.
The PoC is live on GitHub and has been mirrored to multiple independent hosting platforms, placing this within reach of any opportunistic attacker who can touch a laptop.
| Field | Detail |
|---|---|
| Vulnerability Name | GreatXML |
| CVE | Not assigned at time of disclosure |
| Related CVEs | CVE-2026-45585 (YellowKey — same researcher, patched), CVE-2026-50507 (related, June 2026 Patch Tuesday) |
| Severity | Critical — physical access → full encryption bypass |
| Patch Status | No official patch for GreatXML |
| PoC | Public — GitHub + mirrors |
| Disclosed | June 10, 2026 |
| Affected | Windows 11 24H2 (confirmed); Windows 10 all supported versions; Windows Server 2019–2025 (architecture identical, not confirmed in PoC) |
Root Cause: Trusted Processing in Pre-Boot
The flaw lives in how Windows Defender Offline Scan and the Windows Recovery Environment interact. When a Defender Offline Scan is triggered (MpCmdRun.exe -Scan -ScanType 3), the machine reboots into WinRE to perform the scan in a pre-OS environment. On boot, WinRE processes an unattend.xml answer file from the recovery partition if one is present.
Here is the critical finding: this processing runs with SYSTEM privileges before any user authentication gate and after the TPM has already unlocked the BitLocker volume. An attacker who places a malicious unattend.xml on the recovery partition can abuse this trusted execution path to spawn an administrator shell with full read/write access to the encrypted OS volume.
The attack is confirmed on Windows 11 24H2 (build 10.0.26100.1). Post-exploitation, manage-bde -status C: reports Protection Status: On — encryption appears active to any monitoring tool, yet the volume is fully accessible. This is the exact scenario the PoC demonstrates.
TPM-only key protectors seal the volume key at boot — but they seal it before WinRE processes the malicious answer file. The attack happens after TPM unlock, not before. Adding TPM+PIN may add friction to Path 1 but has not been confirmed as a full mitigation for GreatXML. Microsoft has not yet issued guidance on this point.
The Attack Chain
✓ BitLocker enabled (TPM-only key protector — no PIN)
✓ Windows Defender Offline Scan has run at any prior point // reagentc pre-conditioned by MpCmdRun.exe -ScanType 3
[ STEP 1 — PHYSICAL ACCESS ]$ Attacker gains brief physical access // theft, unattended device, Evil Maid, insider
$ Mounts recovery partition // no credentials required; partition is unencrypted
[ STEP 2 — WEAPON PLACEMENT ]$ Copies malicious unattend.xml → recovery partition root
// FirstLogonCommands or RunSynchronous entries → spawns cmd.exe SYSTEM shell
$ Copies crafted Recovery/ directory alongside unattend.xml
[ STEP 3 — TRIGGER ]$ Shift + Restart from lock screen // no credentials — accessible from lock screen
// selects "Troubleshoot → Advanced → Startup Settings" or WinRE auto-triggers
[ STEP 4 — WinRE EXECUTION ]$ TPM unseals BitLocker volume key // machine is still within TPM PCR measurement window
$ WinRE boots → processes unattend.xml with SYSTEM privileges
! Administrator shell spawned // C: fully accessible; BitLocker reports "Protection Status: On"
[ STEP 5 — POST-EXPLOITATION ]$ robocopy C:\Users\* Z:\exfil\ /E /R:0 // data exfiltration
$ reg save HKLM\SAM Z:\sam.hive // credential harvesting
$ copy implant.exe C:\Windows\System32\ // persistent implant
// manage-bde -status C: → "Protection Status: On" — encryption still reported active
Two Exploitation Paths
GreatXML has two distinct exploitation paths depending on whether the target machine has previously had a Defender Offline Scan run.
Automatic — No Login Required
- Attacker gains brief physical access
- Copies malicious
unattend.xml+Recovery/to recovery partition root - Reboots via Shift + Restart from the lock screen (no credentials)
- WinRE processes
unattend.xml, spawns SYSTEM shell; BitLocker volume is fully accessible
Attacker-Initiated Scan
- Attacker logs in (or exploits pre-auth code execution)
- Runs
MpCmdRun.exe -Scan -ScanType 3 - Machine reboots into WinRE offline scan state
- On next physical access, follows Path 1 exactly
Any machine where MpCmdRun.exe -ScanType 3 has ever been executed is immediately exploitable via Path 1 — no login required. Run this query against your SIEM first to identify the highest-priority asset subset before deploying any other mitigations.
MITRE ATT&CK Mapping
| Technique | ID | Phase | Procedure |
|---|---|---|---|
| Direct Volume Access | T1006 |
Defense Evasion | BitLocker-encrypted volume read without key or credentials after WinRE bypass |
| Pre-OS Boot: System Firmware | T1542.001 |
Persistence / Defense Evasion | WinRE pre-OS environment manipulated via answer file to spawn SYSTEM shell |
| Subvert Trust Controls | T1553 |
Defense Evasion | WinRE's trusted unattend.xml processing abused to execute attacker-supplied commands |
| Impair Defenses: Disable or Modify Tools | T1562.001 |
Defense Evasion | BitLocker at-rest encryption effectively neutralised while continuing to report as active |
Detection Queries — Elastic SIEM / KQL
All queries target Sysmon process events (windows.sysmon_operational) and Elastic Endpoint events (endpoint.events.process). Sysmon configuration must include process creation (EID 1), file creation (EID 11), and registry modification (EID 13) to ensure coverage. Deploy Queries 1 and 3 as persistent detection rules first — they are the highest-fidelity and lowest-FP starting points.
event.dataset: ("endpoint.events.process" OR "windows.sysmon_operational")
AND event.action: "start"
AND process.name: "reagentc.exe"
AND process.command_line: (*"/boottore"* OR *"/setreimage"* OR *"/enable"* OR *"/disable"*)
| sort @timestamp descevent.dataset: ("endpoint.events.process" OR "windows.sysmon_operational")
AND event.action: "start"
AND process.name: "bcdedit.exe"
AND process.command_line: (
*"winre"* OR *"recovery"*
OR *"ramdisksdidevice"* OR *"ramdisksdipath"*
OR *"{current}"*
)
| sort @timestamp descevent.dataset: "windows.sysmon_operational"
AND event.action: "creation"
AND winlog.event_id: 11
AND file.name: "unattend.xml"
AND NOT file.path: (
*"C:\\Windows\\System32\\sysprep\\"*
OR *"C:\\Windows\\Panther\\"*
OR *"C:\\Windows\\Setup\\"*
)
| sort @timestamp descevent.dataset: "windows.sysmon_operational"
AND event.action: "creation"
AND winlog.event_id: 11
AND (
file.path: (*"\\Recovery\\"* OR *"\\Recovery\\WindowsRE\\"*)
OR file.name: ("ReAgent.xml" OR "winre.wim" OR "boot.sdi")
)
AND NOT process.name: ("TrustedInstaller.exe" OR "TiWorker.exe" OR "svchost.exe")
| sort @timestamp descevent.dataset: ("endpoint.events.process" OR "windows.sysmon_operational")
AND event.action: "start"
AND process.name: "manage-bde.exe"
AND process.command_line: (
*"-status"* OR *"-protectors"*
OR *"-on"* OR *"-off"* OR *"-unlock"*
)
| sort @timestamp descevent.dataset: ("endpoint.events.process" OR "windows.sysmon_operational")
AND event.action: "start"
AND process.name: "MpCmdRun.exe"
AND process.command_line: (
*"-Scan -ScanType 3"*
OR *"OfflineScan"*
OR *"-BootSectorScan"*
)
| sort @timestamp desc// Step 1 — Identify machines where MpCmdRun offline scan ran in last 90 days
event.dataset: "endpoint.events.process"
AND process.name: "MpCmdRun.exe"
AND process.command_line: *"ScanType 3"*
| stats min(@timestamp) as first_offline_scan by host.name
| where first_offline_scan > now() - 90d
// Step 2 — Cross-reference with reagentc or bcdedit activity on those hosts
// Run separately; pivot on host.name results from Step 1
event.dataset: "endpoint.events.process"
AND process.name: ("reagentc.exe" OR "bcdedit.exe")
AND host.name: ("")
| sort @timestamp desc False Positive Analysis
unattend.xml under legitimate pathssysprep\, Panther\, Setup\. Add parent filter: parent.process.name: "setupprep.exe"reagentc.exe /enable post-Windows UpdateTrustedInstaller.exe as parent; add AND NOT parent.process.name: "TrustedInstaller.exe" to Q1diskpart.exe for VSS operationsmanage-bde.exe used by IT admins for routine status checksIndicators of Compromise
GreatXML has no network-based IOCs — it is a local, physical-access technique. Detection relies entirely on file system artifacts and process execution events.
| Type | Value | Confidence |
|---|---|---|
| File | unattend.xml at recovery partition root or \Recovery\OEM\ |
High |
| File | Modified ReAgent.xml with write timestamp mismatched vs OS build date |
High |
| File | New or unexpected files under \Recovery\WindowsRE\ |
High |
| Artifact | C:\Windows\System32\Recovery\ReAgentOld.xml (backup created during tampering) |
Medium |
| Process | reagentc.exe /boottore from non-SYSTEM, non-TrustedInstaller context |
High |
| Process | bcdedit.exe with ramdisksdi* arguments in a user session |
High |
| Process | MpCmdRun.exe -Scan -ScanType 3 (pre-condition marker — flags Path 1 eligibility) |
Medium |
Mitigations
| Control | Action | Effectiveness |
|---|---|---|
| Apply Patch Tuesday | Apply June 2026 Patch Tuesday for CVE-2026-45585 and CVE-2026-50507 (partial mitigation) | Partial — addresses related issues; no GreatXML-specific patch exists yet |
| Disable WinRE | Run reagentc.exe /disable on endpoints where WinRE is not required for recovery |
High — removes the attack surface entirely; verify recovery workflow before deploying broadly |
| BitLocker + PIN | Migrate high-risk endpoints (executive, finance, legal, M&A) from TPM-only to TPM+PIN | Medium — adds friction; not confirmed as full GreatXML mitigation; Microsoft guidance pending |
| Physical Security | Screen lock policy enforcement, cable locks for laptops, restricted physical access zones for sensitive machines | High for opportunistic theft; compensating control for Path 1 |
| FIM on Recovery Partition | File integrity monitoring on \Recovery\ and ReAgent.xml via SentinelOne custom rules or Elastic FIM |
High detection value; may not prevent in-situ attack but enables rapid identification |
| Audit Offline Scan History | Run Q6 across all endpoints; build a priority list of machines where Offline Scan has run — these are Path 1 ready | Risk prioritisation — not a mitigation but enables focused response |
Run the following to disable WinRE on endpoints where recovery is not required. Confirm with your change management process before deploying at scale — disabling WinRE removes the recovery environment and may impact your OS recovery workflows.
# Disable WinRE — removes the attack surface for GreatXML
# Run as Administrator; verify your recovery workflow supports WinRE-off state
reagentc /disable
# Confirm WinRE is disabled
reagentc /info
# Expected output: "Windows RE status: Disabled"
# Optional: check BitLocker protector type (TPM-only = highest risk)
manage-bde -protectors -get C:
# If output shows "TPM" with no PIN, consider migrating to TPM + PIN for high-risk assetsPriority Actions
- Identify immediately-exploitable machines (Path 1): Run Q6 across your SIEM to find all endpoints where
MpCmdRun.exe -ScanType 3has been executed. These machines can be exploited by physical access with no login required. - Deploy detection rules Q1 and Q3 immediately:
reagentc.exe /boottoreandunattend.xmlat non-deployment paths are the highest-fidelity, lowest-FP indicators for this attack. These should be persistent alert rules, not hunt queries. - Disable WinRE on high-risk endpoints: Executive laptops, finance, legal, and M&A machines should be prioritised. Use
reagentc /disableafter confirming recovery workflow impact. - Do not communicate TPM-only as a sufficient control: Any stakeholder communication that presents BitLocker as protective against physical-access scenarios must be updated. TPM-only is explicitly ineffective here.
- Monitor for GreatXML patch release: Microsoft has not issued a GreatXML-specific patch. Track the MSRC advisory and apply immediately on release. Reference CVE-2026-45585 and CVE-2026-50507 for related updates.
Intelligence Gaps
- Windows Server impact not confirmed in PoC — architecture is identical to workstation WinRE; assumed vulnerable. Server endpoints with BitLocker and Defender installed should be treated as at-risk pending Microsoft confirmation.
- TPM+PIN mitigation unconfirmed — adding a PIN may prevent automatic boot into the WinRE bypass state but has not been confirmed by Microsoft as a full mitigation for GreatXML. Do not present it as a definitive fix.
- No attribution to active threat campaigns at time of disclosure — PoC is available but no confirmed in-the-wild exploitation has been reported. Opportunistic exploitation risk is high given low barrier (physical access only).
- PoC mirroring — the PoC has been mirrored to independent repositories beyond the original GitHub, increasing long-term availability even if the original is taken down.
References
- GitHub — MSNightmare/GreatXML (original PoC)
- CVE-2026-50507 — Microsoft Security Update Guide
- YellowKey — HiveSecurity Blog (related bypass, same researcher)
- MITRE ATT&CK — T1006: Direct Volume Access
- MITRE ATT&CK — T1542.001: Pre-OS Boot: System Firmware