News

New BitLocker bypass exploit targets Microsoft Defender offline scan path

GreatXML turns BitLocker’s own offline scan path into the weak link, while YellowKey shows how a physical-access bypass can slip around strong encryption.

Jamie Taylor··2 min read
Published
Listen to this article0:00 min
New BitLocker bypass exploit targets Microsoft Defender offline scan path
Source: learn.microsoft.com

GreatXML has arrived as a fresh BitLocker bypass that goes after Microsoft Defender’s offline scan path, not the encryption itself. That makes it the kind of problem lockpickers understand instantly: the core mechanism can be solid, yet a side channel in the supporting hardware and recovery path still gives an attacker a way through when physical access is on the table.

Microsoft has already tied a related BitLocker security feature bypass to CVE-2026-45585, publicly known as YellowKey. The Microsoft Security Response Center said the proof of concept was made public in violation of coordinated vulnerability best practices, and the company released the CVE on May 19 with a revision on May 21. Microsoft also moved to mitigation before a full security update, a sign that the disclosure cycle around BitLocker bypasses is moving fast enough to matter for fleets of portable Windows devices.

AI-generated illustration
AI-generated illustration

The company said the temporary mitigation is meant for organizations worried about devices being compromised or stolen, especially when employees take work devices home or travel with them on business. Microsoft added that the mitigation does not affect service availability or management operations. Just as important, Microsoft said the known YellowKey issue is not exploitable when BitLocker is using TPM+PIN, which sharply changes the risk picture for systems that have that extra gate in place.

Microsoft Learn’s BitLocker guidance lays out why these attacks keep finding an opening. BitLocker binds encryption keys with the TPM and relies on Secure Boot and Measured Boot to protect against offline tampering. If the TPM changes, or if BIOS or UEFI configuration, startup files, or boot configuration are altered, BitLocker can drop into recovery mode. That recovery behavior is a safety feature, but it is also the seam an attacker tries to pry open once the machine is powered off and the lock is no longer the only thing standing in the way.

That is the larger lesson behind GreatXML and YellowKey. Neither story is about breaking encryption math; both are about attacking the path around it, where boot flow, recovery logic, and offline scanning become the weak point. In a locksport sense, the cylinder may hold, but the bypass artist is going after the trim, the warding, or the reset mechanism. For anyone relying on BitLocker for a laptop that leaves the desk, the whole chain now matters just as much as the lock at its center.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More Lockpicking News