Security researcher Nightmare Eclipse has released a new Windows BitLocker bypass, only one day after publishing an exploit targeting Microsoft Defender.
Named GreatXML, the fresh exploit allows users to bypass BitLocker and spawn a command prompt with SYSTEM privileges while in Recovery Mode.
The proof-of-concept (PoC) code the researcher released targets a vulnerability in Microsoft Defender’s offline scan functionality.
According to Nightmare Eclipse, all systems on which an offline scan was initiated at least once automatically become vulnerable.
The PoC exploit includes an XML file and a Recovery folder (containing another XML) that need to be copied to the root of the computer’s recovery partition.
Next, the system needs to be rebooted in Recovery Mode by holding Shift while clicking on the Restart button. Once the system restarts, the user gains unrestricted access to the volume protected by BitLocker.
Any Windows machine becomes vulnerable to GreatXML as soon as Defender’s offline scanning is initiated. Thus, an attacker simply needs to launch the functionality before executing the exploit.
“If Defender offline scan was never initiated, then you have to either log in and initiate it yourself or figure out a way to boot into WinRE in offline scan state (I believe it should be very possible to do so without logging in),” the researcher says.
Nightmare Eclipse released GreatXML just one day after RoguePlanet, a zero-day flaw in Microsoft Defender that leads to local privilege escalation (LPE) to SYSTEM.
Also known as Chaotic Eclipse, Nightmare Eclipse has been dropping exploits for various zero-day vulnerabilities in Windows after expressing discontent with how Microsoft treats researchers who participate in its vulnerability disclosure programs.
Microsoft has been scrambling to resolve the publicly disclosed flaws, including BlueHammer, RedSun, and UnDefend, which have been exploited in attacks. It also patched GreenPlasma and YellowKey with the June 2026 Patch Tuesday updates.
Related: Microsoft Patches Exploited Exchange Server Vulnerability
Related: Critical HVAC and UPS Vulnerabilities Could Let Hackers Disrupt Data Centers
Related: Critical Vulnerabilities Patched in Fortinet, Ivanti Products
Related: No Patch Planned for Exploited Arista EOS Vulnerability
