GreatXML is a one-file BitLocker bypass against Windows 11 24H2. Drop an attacker-controlled unattend.xml and ReAgent.xml into the root of the recovery partition; the next Defender Offline reboot honours them at the WinPE Setup pass and spawns an Administrator conhost.exe on top of the splash. The C: volume is already TPM-unsealed at that point, so the shell can cd C: and read everything. No crypto attack, no kernel exploit — just physical access plus two XML files. We reproduce the README, both XML files and both proof screenshots, explain why it works, and give a hardening checklist (TPM+PIN, reagentc /disable, recovery-partition integrity).
Recovery Mode Breakdown: Turning macOS Recovery Safari into Root Persistence
A macOS Recovery Mode Safari flaw allowed attackers to write arbitrary files to system partitions. By placing a malicious LaunchDaemon in /Library/LaunchDaemons, an attacker could achieve persistent root execution after reboot.


