317/69 Friday, June 12, 2026
Security researcher Chaotic Eclipse, also known as Nightmare Eclipse, has published a proof-of-concept (PoC) for a newly discovered vulnerability dubbed GreatXML, which may allow attackers to bypass BitLocker protections and obtain a SYSTEM-level command shell while Windows is running in Recovery Mode. The vulnerability was disclosed on June 10, 2026, shortly after the publication of another flaw called RoguePlanet, which affected Microsoft Defender and could potentially enable local privilege escalation. At the time of reporting, no official patch was available for GreatXML, and systems that have previously used the Windows Defender Offline Scan feature may be at risk.
The vulnerability is linked to Windows Defender Offline Scan, a feature that reboots a device into the Windows Recovery Environment (WinRE) to scan for malware outside the primary operating system. According to the researcher, this process may leave behind configuration data or artifacts within the recovery partition. GreatXML reportedly exploits the way WinRE processes XML files during the boot sequence. As a result, an attacker with physical access to a device-or the ability to write data to the recovery partition-could potentially launch a command shell capable of accessing BitLocker-protected volumes without following the normal unlock procedure.
This disclosure is part of a series of vulnerabilities recently published by Chaotic Eclipse, including BlueHammer, UnDefend, RedSun, YellowKey, and GreenPlasma, several of which affect BitLocker, Microsoft Defender, and the Windows Collaborative Translation Framework. The Microsoft Security Response Center has previously warned that publicly disclosing vulnerabilities without coordinated disclosure may increase risk to users, as threat actors can rapidly weaponize technical details and proof-of-concept code. Until Microsoft releases an official fix or mitigation guidance, administrators are advised to closely monitor Microsoft security advisories, restrict physical access to systems, review the use of Windows Recovery Environment, and consider additional endpoint security controls to reduce potential exposure.