In a nutshell: The GreatXML exploit leverages a security vulnerability in Microsoft’s offline scan function to bypass BitLocker and access encrypted drives from recovery mode after a successful Defender offline scan.
Security researcher Nightmare Eclipse has released a functional exploit that bypasses Microsoft’s BitLocker encryption and grants local attackers full SYSTEM privileges in Windows recovery mode. The vulnerability is currently not covered by patches.
The GreatXML exploit targets a vulnerability in Microsoft Defender’s offline scan function. Once an offline scan has been performed at least once on a system, it becomes vulnerable to the attack vector. A local attacker can then launch a command prompt with comprehensive SYSTEM privileges in recovery mode, thereby making the BitLocker-protected drive fully accessible.
For practical execution, specific files must be transferred to the target system: an XML file and a recovery folder containing another XML file, both to the root directory of the recovery partition. The system is then placed in recovery mode (Shift + Restart). After boot, the attacker gains unrestricted access to the encrypted volume. Nightmare Eclipse notes in the documentation that if the offline scan has never been initiated, the attacker would need to start one themselves or find a way to boot into WinRE in offline scan state.
The release follows the RoguePlanet exploit by the same author, which also exploits a security vulnerability in Microsoft Defender and enables local privilege escalation to SYSTEM level. Nightmare Eclipse, also known as Chaotic Eclipse, has been systematically publishing unpatched zero-day vulnerabilities for months. Justification: ongoing disputes with Microsoft over error handling and financial compensation in the bug bounty program.
Older vulnerabilities from the researcher such as BlueHammer, RedSun, and UnDefend are already being actively exploited in cyberattacks. Microsoft patched GreenPlasma and YellowKey with Patch Tuesday updates in June 2026. The new exploits RoguePlanet and GreatXML remain unpatched.
Source: www.it-daily.net · Published June 12, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.