Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: bitlocker (3 articles)Clear

New unpatched GreatXML exploit bypasses Windows BitLocker encryption

The researcher known as Nightmare Eclipse has published a second unpatched Windows exploit in two days, this one defeating BitLocker disk encryption. Called GreatXML, it abuses the Windows Defender Offline Scan feature: any machine that has ever run an offline scan is left permanently vulnerable. An attacker with physical access copies a crafted unattend.xml file and a Recovery folder to the recovery partition, reboots into the Windows Recovery Environment with Shift plus Restart, and gets a privileged shell with full access to the encrypted drive, no login needed. Proof-of-concept code is public on GitHub, there is no patch yet, and Microsoft says it is investigating.

Check
Identify Windows devices protected only by BitLocker without a startup PIN, especially laptops that travel, and check whether Windows Defender Offline Scan has ever been run on them.
Affected
Windows devices using BitLocker where a Defender Offline Scan has run at least once; an attacker with physical access to the machine can reach the encrypted volume. No patch yet.
Fix
Require a TPM-plus-PIN or startup password for BitLocker so pre-boot recovery cannot be abused, restrict physical access to devices, and watch for a Microsoft fix to apply once released.

Microsoft ships mitigation for YellowKey BitLocker bypass (CVE-2026-45585), no patch yet - PoC published, TPM+PIN required

Microsoft has assigned CVE-2026-45585 and shipped mitigation guidance for YellowKey, a Windows BitLocker bypass that anonymous researcher 'Nightmare Eclipse' disclosed last week with a working PoC. The attack places crafted FsTx files on a USB drive or EFI partition, reboots into WinRE, and holds CTRL during boot to drop into a shell with full access to BitLocker-protected drives. Microsoft says no patch is available yet. Mitigations include removing the autofstx.exe entry from Session Manager's BootExecute and reconfiguring BitLocker to require TPM+PIN at startup. Nightmare Eclipse is the same researcher who recently dropped BlueHammer, RedSun, GreenPlasma, UnDefend, and MiniPlasma.

Check
Inventory Windows endpoints with BitLocker enabled. Check whether autofstx.exe is listed in HKLM\System\CurrentControlSet\Control\Session Manager BootExecute. Look for unattended USB media access on shared or kiosk machines.
Affected
Windows endpoints with BitLocker in TPM-only mode (no PIN). YellowKey requires physical access to drop FsTx files on a USB drive or the EFI partition before triggering WinRE boot.
Fix
Remove autofstx.exe from BootExecute and re-establish BitLocker trust for WinRE per CVE-2026-33825 advisory. Reconfigure BitLocker to TPM+PIN. Restrict USB boot and BIOS access on shared endpoints.

Unpatched Windows BitLocker bypass and SYSTEM elevation PoCs dropped on GitHub by a disgruntled researcher - YellowKey and GreenPlasma hit Windows 11 and Server 2022/2025

A researcher who calls themselves Chaotic Eclipse - and who has weaponized every prior Windows flaw they have leaked this year - dropped working proof-of-concept code for two unpatched zero-days on May 12. YellowKey lets anyone with physical access to a Windows 11 or Server 2022/2025 machine plug in a USB stick, hold CTRL during a reboot into the Windows Recovery Environment, and get a shell with full access to the BitLocker-protected drive. GreenPlasma is a privilege escalation against the CTFMON service that hands an unprivileged user a path to SYSTEM. Independent researchers including Will Dormann and Kevin Beaumont have confirmed that YellowKey works as advertised.

Check
Inventory which Windows 11, Server 2022, and Server 2025 endpoints have BitLocker in TPM-only mode (the default on most consumer hardware), and identify machines that ever leave secured premises.
Affected
Windows 11 and Windows Server 2022/2025 with BitLocker in TPM-only mode. Windows 10 is unaffected. GreenPlasma privilege escalation hits Windows 11 and Server 2022/2025.
Fix
No patch yet. Switch BitLocker from TPM-only to TPM+PIN, set a BIOS or UEFI admin password, and disable USB boot in firmware. Watch for a Microsoft out-of-band release before next Patch Tuesday.