"If everything was done correctly, a shell with unrestricted access to the bitlocker volume will spawn," wrote the researcher known as Nightmare Eclipse, who on Wednesday published exploit code they call GreatXML that they say can bypass BitLocker.
Nightmare Eclipse's GreatXML claim and timeline
Nightmare Eclipse released GreatXML late Wednesday on GitHub and other Git-based code-hosting platforms, describing it as an “accidental discovery” that took “four hours to find.” The researcher said the exploit will bypass BitLocker on any system that has ever run a Microsoft Defender Offline scan. GreatXML arrived one day after Nightmare published RoguePlanet, a separate exploit that they say enables local privilege escalation to SYSTEM-level control. Taken together, those two disclosures bring the researcher’s publicly claimed zero-day total to eight; the earlier six—RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma—were patched in this week’s Patch Tuesday.
How GreatXML is said to work
Nightmare’s published steps for GreatXML require copying two artifacts—an “unattend.xml” file and the “Recovery” directory—into the root of the recovery partition and then rebooting into the Windows Recovery Environment (WinRE) by Shift-clicking Restart. According to the writeup, completing those steps “will spawn” a shell with unrestricted access to the BitLocker volume. The researcher also noted conditions where the exploit would need additional actions: if a Defender Offline scan has never been initiated on the target, an operator must either log in and initiate the scan or “figure out a way to boot into WinRE in offline scan state.”
Independent testing: Will Dormann's reproduction and critique
Security researcher Will Dormann followed Nightmare’s steps and reported that the writeup appears “flawed.” In Dormann’s testing, the command prompt appeared only the next time a Microsoft Defender Offline scan ran. He further wrote that “in order to trigger a Microsoft Defender Offline scan, you both need to be logged in to Windows, and also have admin credentials,” and added that “if you've already got that level of access, you can just turn off bitlocker.” Dormann also said the writeup’s implication—that once the two files are planted and WinRE is entered by Shift-reboot, Windows will automatically go into Defender Offline scan mode—does not hold true in any of the “3 lineages of Win11” he tested.
Microsoft's public posture and prior interactions with Nightmare Eclipse
Redmond told The Register it is “aware of RoguePlanet, and actively investigating the validity and potential applicability of these claims.” Microsoft did not immediately respond to inquiries about GreatXML or when it planned to issue a patch. The company also said none of the vulnerabilities were reported via its official channels prior to being made public. Separately, Microsoft previously banned Nightmare’s earlier GitHub account and, according to the published record, at one point “seemingly threatened legal action before dialing back its rhetoric after steep backlash from the security community.”
What this means for security teams, enterprises, and end users
- Technologists and security teams: Teams responsible for endpoint security and recovery partitions will need to evaluate the exploit steps Nightmare published and Dormann’s reproduction notes to determine whether their environments could be used to trigger the sequence described. The published dependency on Microsoft Defender Offline being executed at some point introduces a specific forensic predicate for investigation.
- Affected enterprises and procurement leaders: Organizations should note that six earlier flaws have been patched in this week’s Patch Tuesday, while two more exploits—RoguePlanet and GreatXML—have been publicly disclosed by the same researcher and had not, at the time of reporting, been acknowledged by Microsoft as fully validated or scheduled for a fix.
- End users and general public: Dormann’s testing suggests that triggering the Defender Offline scan used in the reported exploit requires administrative access and an active login in many configurations; this detail, if broadly accurate, frames the practical risk for consumer devices versus machines already accessed by an attacker with elevated permissions.
Nightmare Eclipse has framed the disclosures as part of a personal campaign against Microsoft, at times promising broader mass disclosures—most notably a pledged July 14 drop—then revising that schedule after citing exhaustion from developing RoguePlanet. The researcher’s public statements oscillate between promises of large future releases and pauses depending on circumstances.
The record as published leaves two narrow but consequential realities: Nightmare has made public exploit code for both RoguePlanet and GreatXML, and independent testing has already raised questions about how reliably GreatXML produces the described BitLocker bypass. Microsoft says the newer claims are being investigated and that prior reports were not received through its official vulnerability channels. Which of those threads will drive a patch, and on what timeline, is the central, unanswered operational question.
