A freshly discovered proof-of-concept exploit dubbed GreatXML can fully bypass BitLocker disk encryption on Windows machines — and the attack vector is surprisingly mundane. Researchers found that by manipulating how Microsoft Defender handles offline scans, an attacker can spawn a SYSTEM-level shell when the machine reboots into Windows Recovery Environment.
What makes this particularly nasty is the attack chain: it doesn’t require physical access in the traditional sense, nor does it need a sophisticated bootkit. Instead, it piggybacks on a legitimate Defender feature designed to catch persistent malware. When Windows RE kicks in for an offline scan, the exploit hijacks the process and drops the attacker into a privileged command prompt — with full access to the supposedly encrypted drive.
BitLocker has long been considered a solid last line of defense for data-at-rest protection. This PoC doesn’t break the encryption mathematically; it sidesteps it entirely by abusing a trusted system component. Microsoft hasn’t issued a patch yet, so organizations relying on BitLocker should monitor for unusual RE boot cycles and consider additional pre-boot authentication layers.
Source: SecurityWeek
