GreatXML Zero-Day Bypasses BitLocker via Windows Recovery Environment
A publicly disclosed zero-day dubbed GreatXML can bypass BitLocker by abusing the Windows Recovery Environment (WinRE) state used during Microsoft Defender Offline Scan, allowing an attacker to obtain a SYSTEM shell and access an encrypted volume without a normal login. Reports say the attack works by placing a crafted unattend.xml file and a Recovery directory on the recovery partition, then rebooting the device into recovery mode, where Windows processes the malicious XML and exposes an unrestricted shell. The proof of concept was demonstrated on Windows 11 24H2 build 10.0.26100.1, and systems that have previously run Defender Offline Scan are described as especially exposed because the required recovery artifacts may already be present.
The exploit was published by security researcher Chaotic Eclipse, also known as Nightmare Eclipse or MSNightmare, and no official patch was available at the time of reporting. The attack appears to require brief physical access or another method of writing to the recovery partition, raising risks for stolen laptops, insider threats, and supply-chain tampering. Microsoft said it was assessing the issue and working on protections and patches, while criticizing the public release of proof-of-concept code as irresponsible amid a broader dispute with the researcher over vulnerability disclosure and bug bounty handling.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Public PoC for GreatXML is released without an available patch
The researcher publicly released proof-of-concept code for GreatXML on multiple code-hosting platforms, increasing the risk of exploitation. At the time of reporting, no official patch was available, and Microsoft said it was assessing impact and working on protections and fixes.
Researcher publicly discloses GreatXML BitLocker bypass exploit
Security researcher Chaotic Eclipse, also known as Nightmare Eclipse / MSNightmare, publicly disclosed the GreatXML zero-day on June 10, 2026. The exploit abuses Windows Recovery Environment behavior and artifacts left by Microsoft Defender Offline Scan to bypass BitLocker and obtain a SYSTEM-level shell with physical access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files
thehackernews.com
Open sourceGreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan
cybersecuritynews.com
Open sourceChaotic Eclipse Strikes Again: New Zero-Day Unlocks BitLocker in Four Hours of Research
securityaffairs.com
Open sourceNightmare Eclipse drops claimed BitLocker bypass for Microsoft Windows
theregister.com
Open sourceGitHub - MSNightmare/GreatXML: GreatXML bitlocker bypass vulnerability · GitHub
github.com
Open sourceNightmare Eclipse: GreatXML a bitlocker bypass that seems to only work if you ever had Defender Offline Scan
deadeclipse666.blogspot.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Defender RedSun Zero-Day Enables SYSTEM Privilege Escalation
A proof-of-concept exploit for a new Microsoft Defender local privilege escalation flaw dubbed **RedSun** was published by researcher **Chaotic Eclipse**, with reports saying it works on fully patched **Windows 10**, **Windows 11**, and **Windows Server 2019 and later** when Defender is enabled. The zero-day allows an unprivileged local user to gain **SYSTEM** privileges by abusing Defender’s handling of files tagged by cloud detection, and Microsoft had not released a patch at the time of reporting. Independent researcher **Will Dormann** reportedly validated the exploit chain, which uses the **Windows Cloud Files API**, opportunistic locks, and **NTFS junctions/reparse points** to redirect Defender into overwriting a protected binary under `C:\Windows\System32` and then executing it as SYSTEM. The disclosure followed an earlier Defender privilege-escalation exploit, **BlueHammer**, which Microsoft patched as `CVE-2026-33825`, while defenders were urged to watch for anomalous Defender file writes, `cldapi.dll` activity, and oplock-assisted redirection behavior pending a vendor fix.
May 12, 2026
YellowKey BitLocker bypass and GreenPlasma Windows LPE disclosed publicly
An anonymous researcher using the aliases **Nightmare-Eclipse** and **Chaotic Eclipse** publicly released details for two alleged Microsoft zero-days, **YellowKey** and **GreenPlasma**, adding to a string of earlier disclosures that included **BlueHammer**, **RedSun**, and **UnDefend**. YellowKey is described as a **BitLocker bypass** that requires physical access and a USB device, allowing an attacker to reboot into the Windows Recovery Environment (**WinRE**) and gain access to an encrypted drive; reporting said the technique was independently reproduced. Public materials claim the issue affects **Windows 11** and **Windows Server 2022/2025**, while **Windows 10** is not affected. GreenPlasma was disclosed as a **local privilege escalation** flaw that allegedly abuses `CTFMon` and Windows Object Manager section handling to obtain **SYSTEM** privileges, although reports said the released code still triggers a UAC prompt under default settings. Security experts warned that YellowKey could sharply raise the impact of laptop theft because BitLocker is often the final safeguard for stolen Windows devices; suggested mitigations include enabling a **BitLocker PIN** and locking firmware settings with a **BIOS password**, while no practical workaround for GreenPlasma was identified beyond a future vendor patch. Microsoft had not publicly responded to the two disclosures at the time of reporting, and prior proof-of-concept releases from the same researcher were reportedly later used in real-world attacks.
May 28, 2026
BlueHammer Windows Defender Zero-Day Led to Public Exploit Release and Active Attacks
A security researcher using the aliases **Chaotic Eclipse** and **Nightmare-Eclipse** publicly released working GitHub exploit code for **BlueHammer**, an unpatched Windows local privilege escalation flaw tied to Microsoft Defender’s signature update process. Independent testing by Will Dormann and others found the exploit worked, though reliability varied by platform and configuration. The attack abuses a **TOCTOU** race condition and path confusion in Defender’s update workflow, chaining components such as **VSS**, the **Cloud Files API**, and opportunistic locks to expose protected registry hives including `SAM`, `SYSTEM`, and `SECURITY`, extract NTLM password hashes, and potentially elevate a low-privileged user to **NT AUTHORITY\SYSTEM**. Microsoft initially responded with a Defender detection signature for the published proof of concept, but researchers warned that signature-based blocking did not address the underlying logic flaw. The issue was later tracked as **`CVE-2026-33825`** and patched by Microsoft on April 14, after which **CISA** ordered U.S. federal civilian agencies to remediate it within two weeks and added it to the **Known Exploited Vulnerabilities** catalog. Huntress reported the vulnerability was being used in zero-day intrusions involving hands-on-keyboard activity, and follow-on tooling such as **BlueSAM** showed how quickly the public disclosure was adapted for offensive use.
Jun 9, 2026