A new Windows Zero Day has turned BitLocker, one of Microsoft’s most trusted data protection features, into the center of another disclosure fight.
The Register’s Jessica Lyons reported that security researcher Nightmare Eclipse has released exploit code for an alleged BitLocker bypass called GreatXML, which the researcher says can generate a command prompt with broad access to a protected BitLocker volume. This release follows another zero-day, RoguePlanet, which SecurityWeek reports could exploit a Microsoft Defender race condition to gain SYSTEM-level privileges.
Windows administrators’ biggest concern isn’t just a bug. These include the rate of decline in public exploits, the uncertainty surrounding Microsoft’s response, and the growing gap between responsible disclosure standards and what is currently happening in public.
What GreatXML claims to do
According to The Register, Nightmare Eclipse claims that GreatXML can bypass BitLocker on systems that have already run a Microsoft Defender offline scan. The researcher reportedly posted exploit code on GitHub and another Git-based platform, describing the bug as an “accidental discovery.”
The claimed attack involves copying specific files to the recovery partition and then rebooting into the Windows recovery environment. If successful, the researcher said the process would spawn a shell with access to the BitLocker-protected volume.
This claim has already been examined. Security researcher Will Dormann reportedly tested the steps and said the wording seemed flawed, noting that triggering Microsoft Defender offline requires being logged in with administrator credentials. In this scenario, Dormann argued, an attacker may already have sufficient access to disable BitLocker through simpler means.
RoguePlanet adds to Microsoft’s zero-day puzzle
GreatXML landed just after Nightmare Eclipse released RoguePlanet, a separate Windows exploit targeting Microsoft Defender. SecurityWeek reported that RoguePlanet could lead to local privilege escalation by exploiting a race condition, and that researchers validated that it could generate a command prompt with SYSTEM privileges on patched systems.
The reliability of the exploit may vary and the researcher said the proof of concept was tested on Windows 10 and Windows 11 machines with the June 2026 patches installed. It apparently won’t work on Windows Server in its current form, although server versions claimed by Nightmare Eclipse may still be vulnerable.
Microsoft told The Register that it was aware of RoguePlanet and was “actively investigating the validity and potential applicability” of the allegations. The company did not immediately respond to The Register’s questions about GreatXML.
Patch Tuesday didn’t end the drama
Microsoft’s June Patch Tuesday addressed some earlier Nightmare Eclipse revelations, and several others now have fixes, according to The Register and SecurityWeek. Fixed issues include vulnerabilities related to RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma.
Separately, Cyber Security News reported that Microsoft disclosed and fixed a BitLocker security feature bypass tracked as CVE-2026-50507 on June 9. The flaw was rated important with a CVSS score of 6.8 and required physical access to exploit it.
This patched BitLocker issue appears separate from the new GreatXML bypass, although both highlight the same problem for security teams: Windows endpoint protection is under unusual public pressure, and exploit details are evolving faster than some organizations can patch, test, and verify exposure.
What security teams should do now
For enterprise defenders, the practical answer is still familiar: apply Microsoft’s June 2026 security updates, prioritize exposed or high-risk endpoints, and treat lost or physically accessible devices as a more serious threat category.
Security teams should also review offline Defender usage, BitLocker recovery partition protections, and endpoint tampering controls. The actual usefulness of GreatXML remains controversial, but public proof-of-concept versions can quickly turn uncertain research into attacker experiments.
The fight for disclosure may be the loudest part of the story, but for IT teams, the quieter question is more important: whether Windows security controls are being tested faster than organizations can harden them.
To learn more about securing aging Windows systems, check out our guide to the five options available after Windows 10 ends support.
“`
