< Back to all clusters

Security researchers have disclosed a Windows zero‑day, dubbed GreatXML, that lets an attacker with administrator privileges place two malicious XML files on the system’s recovery partition. When the device is later booted into the Windows Recovery Environment—triggered by a Microsoft Defender Offline scan—the files execute before BitLocker authentication, opening a SYSTEM‑level shell on the encrypted volume. The technique works on fully patched Windows 11 systems, requires physical access to initiate the recovery boot, and currently has no CVE identifier or Microsoft‑issued patch.

The exploit was published by the Cyderes Howler Cell team and the independent researcher known as Chaotic Eclipse (MSNightmare). Researchers advise monitoring for unauthorized unattend.xml writes to the recovery partition and for unexpected Defender Offline scans, as remediation is limited to detection and removal of the malicious files. The vulnerability adds to a series of recent Windows exploits targeting core security components such as Defender, BitLocker and CTFMON.