Ishan Crawford GreatXML, a Windows BitLocker bypass claim posted to the proof-of-concept code on GitHub late on Wednesday by a researcher called Nightmare Eclipse, would, if the writeup holds, spawn a command prompt with total access to an encrypted volume on any machine that has ever run a Microsoft Defender Offline scan. The proof-of-concept code arrived one day after the same researcher released RoguePlanet, a Windows Defender local-privilege-escalation flaw, taking Nightmare Eclipse’s disclosed Windows zero-day count to eight. GreatXML’s claim is now under challenge from a veteran security researcher who calls the writeup ‘flawed.’
The disclosure landed in the same week Microsoft shipped its largest Patch Tuesday on record, fixing 206 vulnerabilities including patches for two of Nightmare’s earlier exploits, YellowKey and GreenPlasma. Microsoft told The Register on Wednesday that it is ‘aware of RoguePlanet, and actively investigating the validity and potential applicability of these claims’; the company did not respond to questions about GreatXML, including the timing of any patch.
How the GreatXML Exploit Is Supposed to Work
In GreatXML, Nightmare Eclipse claims the bypass targets Microsoft Defender’s offline scan functionality, and the researcher’s own Blogger post says, ‘If you ever attempted to use Windows Defender Offline Scan, you’re automatically vulnerable to a BitLocker bypass.’ The proof-of-concept sits on the MSNightmare GitHub account that took over after Microsoft had an earlier Nightmare account removed. The researcher told The Register it took only four hours to find the bug, an ‘accidental discovery’ in the words of the post on the Chaotic Eclipse Blogger log.
According to the researcher’s own writeup, the bypass needs two files dropped on the recovery partition. The first is ‘unattend.xml,’ placed at the root of that partition; the second is a ‘Recovery’ directory containing another XML, ‘ReAgent.xml,’ copied to the same root. From there, the attacker reboots into WinRE by holding Shift while clicking Restart in the Windows power menu. ‘If everything was done correctly, a shell with unrestricted access to the bitlocker volume will spawn,’ Nightmare wrote, a claim The Hacker News and SecurityWeek both ran within hours of the GitHub push.
- Copy unattend.xml and the Recovery directory to the root of the recovery partition.
- Reboot into WinRE by holding Shift while clicking Restart; a shell with unrestricted access to the BitLocker volume spawns.
If Defender Offline has never run on the target machine, the researcher acknowledges, the attacker first has to either log in to Windows and trigger a scan, or find a way to boot into WinRE in offline-scan state. That second condition, Nightmare wrote, ‘should be very possible to do so without logging in,’ though the writeup does not spell out how. The PoC was released under the MSNightmare GitHub handle; the original Nightmare-Eclipse account on the platform was removed after the earlier disclosures, per The Register’s reporting.
Will Dormann Calls the Writeup ‘Flawed’
Will Dormann, a security researcher, ran Nightmare’s steps in his own lab and posted his public critique of the GreatXML writeup. The claim does not reproduce the way the writeup suggests, he said. ‘I think the writeup is flawed in that the spawned CMD.EXE happens on the NEXT time that a Microsoft Defender Offline scan is triggered,’ Dormann wrote, echoing what he told The Register. ‘And in order to trigger a Microsoft Defender Offline scan, you both need to be logged in to Windows, and also have admin credentials.’
‘And if you’ve already got that level of access, you can just turn off bitlocker,’ Dormann added. ‘The writeup for GreatXML suggests that the prerequisite is that Windows Defender Offline has been executed at some point in the past. And that after planting two files in WinRE, all you need to do is [Shift]-reboot into WinRE, and Windows will automatically go into Microsoft Defender Offline scan mode. But this is not the case in any of the 3 lineages of Win11 that I have handy.’ A plain Shift-reboot into WinRE, he said, gives the standard recovery menu, not the Defender Offline prompt, even after the prescribed files are dropped in place. The path the writeup describes needs the attacker to already be an admin on the running system, a condition that on its own unlocks BitLocker from the system tray with a single click.
Eight Disclosures in Two Months
GreatXML brings Nightmare Eclipse’s disclosed Windows zero-day count to eight in roughly two months. Six of the eight already have patches from Microsoft. The first six, RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma, ‘all have patches as of this week’s Patch Tuesday event,’ The Register reported.
Three of the earlier six, BlueHammer, RedSun, and UnDefend, have been added to CISA’s Known Exploited Vulnerabilities catalog, meaning the agency has confirmed in-the-wild attacks, per a profile of the researcher behind the run. SecurityWeek reports that ransomware crews began chaining the local-privilege-escalation exploits within days of public release. BlueHammer was patched in April 2026; the rest of the original six were fixed in the June 9 Patch Tuesday release. CVE-2026-45585 closes the YellowKey BitLocker bypass, and CVE-2026-45586 in the Windows Collaborative Translation Framework closes GreenPlasma, per Help Net Security’s writeup of the June release.
Eight disclosures, side by side:
| Exploit | Type | Status (as of June 11, 2026) |
|---|---|---|
| BlueHammer (CVE-2026-33825) | Windows Defender LPE to SYSTEM | Patched April 2026; on CISA KEV |
| RedSun | Windows Defender LPE to SYSTEM | Patched June 9, 2026; on CISA KEV |
| UnDefend | Defender defense-evasion tool | Patched June 9, 2026; on CISA KEV |
| YellowKey (CVE-2026-45585) | BitLocker bypass | Patched June 9, 2026 |
| GreenPlasma (CVE-2026-45586) | CTFMON LPE to SYSTEM | Patched June 9, 2026 |
| MiniPlasma | Cloud Files Mini Filter Driver LPE | Patched June 9, 2026 |
| RoguePlanet | Windows Defender race condition LPE | Disclosed June 9, 2026; under Microsoft investigation |
| GreatXML | Claimed BitLocker bypass via WinRE | Disclosed June 10, 2026; unpatched; writeup disputed |
BlueHammer pairs Microsoft’s brand color with a blunt-force tool, and UnDefend is a portmanteau that mocks Defender directly, per the Barracuda profile. The researcher uses Nightmare-Eclipse on GitHub, Chaotic Eclipse on their blog, and Dead Eclipse in the blog’s ‘About Me’ section.
Microsoft’s Biggest Patch Tuesday Closes Six of Them
Microsoft’s June 9 Patch Tuesday was its largest on record, with fixes for 206 vulnerabilities, according to Malwarebytes, plus three publicly disclosed zero-days. The same release closed the loop on six of Nightmare’s eight disclosures. YellowKey’s patch carries CVE-2026-45585, and Microsoft acknowledged in its security advisory that this is the fix for the vulnerability Nightmare exploited under that name, Help Net Security reports. Microsoft shared mitigation advice for YellowKey back in May.
Microsoft told The Register on Wednesday that it is ‘aware of RoguePlanet, and actively investigating the validity and potential applicability of these claims.’ The company did not respond to questions about GreatXML, including the timing of any patch. ‘Microsoft has said none of the vulnerabilities were reported via its official channels prior to being made public,’ The Register reported. Nightmare’s own writeup for RoguePlanet said the original finding ‘was confirmed that this vulnerability was a remote code execution’ in early development, though a Windows Defender patch Microsoft pushed in May may have made the RCE path unworkable.
The relationship has soured enough to draw a public legal threat and a public walk-back. ‘The company also banned Nightmare’s earlier GitHub account, and seemingly threatened legal action before dialing back its rhetoric after steep backlash from the security community,’ The Register reported. In a May 15 statement, Microsoft said it ‘is aware of the purported vulnerabilities and is actively investigating the validity and potential applicability of these claims across our platforms and services,’ per Barracuda’s profile, and Nightmare’s blog post on the latest round includes the line, ‘I was told personally by them that they will ruin my life and they did.’
Microsoft’s Account Ban Did Not Slow the Disclosures
Nightmare Eclipse has not committed to a date for the next drop. Last month the researcher pledged a July 14 mass disclosure, warning ‘I will make sure your bones are shattered that day,’ then hedged with ‘nothing will be released this June (or maybe I will release smtg, depending on circumstances).’ On Tuesday, two days before GreatXML, the researcher walked that back, saying, ‘I will be unable to mass disclose zerodays in July 14th, RoguePlanet took way more time than expected and truly drained me. I might take a break but I can’t say for sure what I will be doing for next month, maybe it’s nothing, maybe it’s smtg.’ The Barracuda profile also flags a claimed ‘dead man’s switch’ that the researcher says will automatically release more exploits if certain conditions are met, and a stated intent to ‘drag other companies into this.’ A day later, GreatXML followed.
The campaign, sized up:
- 8 Windows zero-days disclosed by one researcher since early April 2026.
- 206 vulnerabilities fixed in Microsoft’s June 9 Patch Tuesday, its largest release on record.
- 3 of the 6 earlier disclosures (BlueHammer, RedSun, UnDefend) added to CISA’s Known Exploited Vulnerabilities catalog.
- 1 day between RoguePlanet (June 9) and GreatXML (June 10).
The legal threat Microsoft walked back came after steep pushback from the security community, per The Register. Tenable’s Satnam Narang and Fortra’s Tyler Reguly, quoted in Help Net Security’s Patch Tuesday writeup, framed the release as part of a wider surge in AI-assisted bug discovery that makes rapid patching more important than ever. The next disclosure, per the researcher’s stated pattern, will be a public post on GitHub or a Git-based host, the same channel the earlier seven used.
Rimpact’s Gravel Tuned Mass Damper: A 400g, £229.99 Bet on Comfort 
Chrome 149 Patches 28 Security Flaws, 12 Memory-Safety Bugs 
NYT Strands Hints and Answers for Friday, June 12, 2026 
iPhone 18 Pro Max Leak Reveals Dark Cherry, Light Blue and Black 
WhatsApp Rolls Out Multi-Account Support to iPhone Users 
Wikipedia’s ‘Which Came First?’ History Game Arrives on iPhone