A new Windows zero-day has turned BitLocker, one of Microsoft’s most trusted data-protection features, into the center of another disclosure fight.
The Register’s Jessica Lyons broke the news that security researcher Nightmare Eclipse released exploit code for a claimed BitLocker bypass called GreatXML, which the researcher says can spawn a command prompt with broad access to a protected BitLocker volume. The release followed another zero-day, RoguePlanet, which SecurityWeek reported could exploit a Microsoft Defender race condition to gain SYSTEM-level privileges.
The bigger concern for Windows admins is not just one bug. It is the pace of public exploit drops, the uncertainty around Microsoft’s response, and the widening gap between responsible disclosure norms and what is now unfolding in public.
What GreatXML claims to do
According to The Register, Nightmare Eclipse claimed GreatXML can bypass BitLocker on systems that have previously run a Microsoft Defender Offline scan. The researcher reportedly published exploit code on GitHub and another Git-based platform, describing the bug as an “accidental discovery.”
The claimed attack involves copying specific files to the recovery partition, then rebooting into the Windows Recovery Environment. If successful, the researcher said the process would spawn a shell with access to the BitLocker-protected volume.
That claim is already being scrutinized. Security researcher Will Dormann reportedly tested the steps and said the write-up appeared flawed, noting that triggering Microsoft Defender Offline requires being logged in with admin credentials. In that scenario, Dormann argued, an attacker may already have enough access to disable BitLocker through easier means.
RoguePlanet adds to Microsoft’s zero-day headache
GreatXML landed just after Nightmare Eclipse released RoguePlanet, a separate Windows exploit targeting Microsoft Defender. SecurityWeek reported that RoguePlanet could lead to local privilege escalation by exploiting a race condition, and that researchers validated it could spawn a command prompt with SYSTEM privileges on patched systems.
The exploit’s reliability may vary, and the researcher said the proof of concept was tested on Windows 10 and Windows 11 machines with the June 2026 patches installed. It reportedly does not work on Windows Server in its current form, though Nightmare Eclipse claimed server versions may still be vulnerable.
Microsoft told The Register it was aware of RoguePlanet and was “actively investigating the validity and potential applicability” of the claims. The company had not immediately responded to The Register’s questions about GreatXML.
Patch Tuesday did not end the drama
Microsoft’s June Patch Tuesday addressed some earlier Nightmare Eclipse disclosures, and several others now have patches, according to The Register and SecurityWeek. The patched issues include vulnerabilities tied to RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma.
Separately, Cyber Security News reported that Microsoft disclosed and patched a BitLocker security feature bypass tracked as CVE-2026-50507 on June 9. The flaw was rated Important with a CVSS score of 6.8 and required physical access to exploit.
That patched BitLocker issue appears distinct from the newly claimed GreatXML bypass, though both underscore the same problem for security teams: Windows endpoint protection is under unusually public pressure, and exploit details are moving faster than some organizations can patch, test, and verify exposure.
What security teams should do now
For enterprise defenders, the practical response is still familiar: apply Microsoft’s June 2026 security updates, prioritize exposed or high-risk endpoints, and treat lost or physically accessible devices as a more serious threat category.
Security teams should also review Defender Offline usage, protections for BitLocker recovery partitions, and endpoint tamper controls. GreatXML’s real-world practicality remains disputed, but public proof-of-concept releases can quickly turn uncertain research into attacker experimentation.
The disclosure fight may be the loudest part of the story, but for IT teams, the quieter question matters more: whether Windows security controls are being tested faster than organizations can harden them.
For more on securing aging Windows systems, check out our guide to the five options available after Windows 10 support ends.
Read the full article here
