top of page

BitLocker Bypass via GreatXML: Public PoC Exploit Disclosed

  • Jun 11
  • 3 min read

Key Findings


  • GreatXML BitLocker bypass exploit publicly disclosed, allowing local attackers full access to encrypted drives

  • Exploit manipulates Windows Defender Offline Scan feature to grant unrestricted administrative shell

  • Attack requires physical access and specific conditions: prior Defender offline scan or ability to boot into WinRE

  • Researcher Nightmare Eclipse claims accidental discovery taking only 4 hours

  • Ongoing dispute between researcher and Microsoft over vulnerability disclosure practices

  • ITScape KVM escape vulnerability (CVE-2026-46316) threatens arm64 cloud infrastructure with guest-to-host escape

  • ITScape flaw exists in kernel-level KVM, bypassing standard user-space protections

  • Public PoC release for ITScape significantly escalates risk for unpatched cloud providers

  • Linux kernel patch already merged; administrators must verify deployment on affected systems


Background


Two critical vulnerabilities have recently entered the public domain, representing distinct but equally severe threats to different infrastructure segments. The GreatXML BitLocker bypass targets Windows desktop systems, while the ITScape KVM escape threatens cloud hosting environments. Both disclosures highlight the ongoing tension between security researchers and major technology companies over responsible vulnerability handling.


GreatXML BitLocker Bypass: Attack Mechanics


The exploit was discovered by researcher Nightmare Eclipse, who noted the discovery was accidental and required only 4 hours of investigation. The attack deliberately targets the Windows Defender Offline Scan feature, manipulating it to generate an unrestricted administrative shell with full BitLocker volume access.


The exploitation process is straightforward but requires specific setup. An attacker copies two components into the recovery partition: an "unattend.xml" file and a "Recovery" directory. The machine then reboots directly into WinRE. Upon successful execution, a shell spawns with unrestricted access to the BitLocker volume.


GreatXML Exploitation Requirements and Scope


The attack has a limited but significant threat profile. Exploitation requires either a prior Defender offline scan on the target machine or the attacker's ability to boot into WinRE during an offline scan state. This makes the vulnerability primarily a local physical threat rather than a remote network attack vector. Despite these constraints, the implications for systems in corporate environments where machines may be left unattended remain serious.


GreatXML and the Microsoft Security Dispute


This disclosure sits within a larger conflict between Nightmare Eclipse and Microsoft. The researcher has previously released multiple Windows zero-days including RoguePlanet, BlueHammer, and RedSun. Microsoft patched some of these during the June 2026 Patch Tuesday updates, addressing GreenPlasma and YellowKey bugs.


However, the relationship remains contentious. Microsoft issued public warnings stating they would involve law enforcement if individuals engaged in "malicious activity causing real harm to our customers." Many cybersecurity experts interpreted this as a direct threat toward the researcher. This ongoing dispute has shaped how the security community views these disclosures.


ITScape KVM Escape: Vulnerability Overview


Researcher Hyunwoo Kim discovered CVE-2026-46316, a critical flaw affecting KVM/arm64 environments. The vulnerability allows untrusted guest virtual machines to escape their isolation boundaries and execute code on the underlying host with kernel-level privileges. This represents a catastrophic risk for any provider operating multi-tenant arm64 public clouds.


The technical root cause is a race condition within the VGIC-ITS (Interrupt Translation Service) emulation layer. Unlike typical virtualization escapes targeting user-space emulators like QEMU, this flaw operates deeply within the in-kernel KVM itself, completely bypassing standard protective measures.


ITScape Attack Requirements and Real-World Impact


The exploit requires guest kernel (EL1) privileges to trigger the necessary GIC/ITS MMIO interactions. In standard public cloud deployments, this prerequisite is trivial to satisfy since users natively possess root access within their allocated virtual machines. An attacker needs only basic guest-side access to trigger the escape.


The published PoC demonstrates a double-put scenario leading directly to host kernel code execution. Researchers note that while the public PoC requires adaptation for specific kernel versions, a fully weaponized real-world exploit exists but has not been released. The vulnerability actively impacts arm64 kernel versions from late April 2024 through early June 2026.


ITScape Mitigation and Remediation


Linux kernel maintainers have already merged a definitive patch. The fix modifies the vgic_put_irq() function to drop its cache reference only on the value returned by xa_erase(). Cloud operators and infrastructure administrators must act immediately to verify this critical patch is deployed on all affected arm64 KVM hosts. Unpatched systems remain vulnerable to devastating guest-to-host network intrusions.


Sources


  • https://securityonline.info/greatxml-bitlocker-bypass-poc/

  • https://securityonline.info/itscape-kvm-escape-cve-2026-46316-poc/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page