GreatXML signals a deeper Windows security problem: the recovery path meant to help fix locked machines can become the route around the lock. The new proof of concept targets Microsoft Defender Offline Scan behavior and can spawn a SYSTEM command prompt during Recovery Mode, giving the attacker access to a BitLocker-protected volume at the point where users expect encryption to matter most.
Security researcher Nightmare Eclipse released the exploit, named GreatXML, one day after publishing a separate Microsoft Defender exploit called RoguePlanet, according to SecurityWeek. The public PoC uses XML files copied to the root of the computer’s recovery partition, then relies on a reboot into Recovery Mode. The sharp part is not remote scale. The sharp part is trust. GreatXML appears to abuse a vendor-controlled maintenance workflow outside the normal desktop security model.
For readers tracking the broader Windows SYSTEM-access theme, XOOMAR’s related coverage on 4-Hour BitLocker Zero-Day Opens Windows SYSTEM Shell and Windows Zero-Days Let Patched PCs Hand Over SYSTEM gives useful companion context.
GreatXML makes Windows recovery the weak link in BitLocker’s promise
BitLocker is trusted because it protects data when Windows is not fully running. GreatXML attacks the machinery around that promise. The exploit does not need to defeat BitLocker cryptography directly, based on the supplied reporting. It targets the flow around Windows Recovery Environment, Defender Offline Scan, and XML-driven recovery behavior.
SecurityWeek reports that the PoC includes an XML file and a Recovery folder containing another XML file. These are copied to the root of the recovery partition. The system is then rebooted into Recovery Mode by holding Shift while clicking Restart. After restart, the user gains unrestricted access to the BitLocker-protected volume.
That makes GreatXML more troubling than a conventional local privilege escalation bug. It sits in a recovery and maintenance path that admins often treat as cleaner and more trusted than the running OS. The strongest counterpoint is that the exploit has meaningful constraints. It is not described as a remote wormable bug. It requires local influence over the recovery partition or a prior path to place the files.
The thesis still holds because recovery tooling is supposed to be a boundary, not a shortcut. If Microsoft’s offline scan state can be turned into a pre-boot SYSTEM shell, defenders have to treat recovery mode as an attack surface.
Defender Offline Scan becomes the route to SYSTEM before normal boot
The public chain is simple enough to be operationally useful: prepare the recovery partition, trigger the recovery state, land a SYSTEM shell. SecurityWeek says the vulnerability is in Microsoft Defender’s offline scan functionality. Nightmare Eclipse claims that all systems on which an offline scan was initiated at least once automatically become vulnerable.
The researcher’s own caveat matters:
“If Defender offline scan was never initiated, then you have to either log in and initiate it yourself or figure out a way to boot into WinRE in offline scan state (I believe it should be very possible to do so without logging in),”
That quote keeps the threat model grounded. A prior Defender Offline Scan is a stated precondition in the public material. If it has never run, the attacker needs another way to put the system into the relevant WinRE offline scan state.
SYSTEM matters because it is one of the highest operational privilege levels in Windows. It is not the same as kernel execution, but from an attacker’s control perspective it is close enough to let them tamper with security controls, access sensitive files, and set up deeper persistence if other defenses fail.
The central technical question remains unresolved in public reporting: is the core weakness XML processing, Defender configuration handling, WinRE trust assumptions, or the combination of all three? Cyderes frames GreatXML as a design-level abuse of WinRE, answer-file processing, and Defender Offline Scan state, not a memory corruption bug.
The risk data is in the sequence, not fleet-size guesses
The strongest numbers around GreatXML are not market-share estimates. They are the exploit timeline and the repeated targeting of Windows security components. SecurityWeek says GreatXML arrived one day after RoguePlanet. Cyderes says the PoC was published on June 11, 2026, and calls it the eighth tool from the Nightmare-Eclipse cluster in roughly ten weeks.
A useful contrast:
| Factor | GreatXML detail from supplied sources | Practical read |
|---|---|---|
| Privilege result | SYSTEM shell | High operational control once triggered |
| Trigger path | Shift + Restart into WinRE | Recovery flow becomes part of attack surface |
| Precondition | Defender Offline Scan initiated at least once, per Nightmare Eclipse | Exposure depends on host state |
| Initial access | Cyderes says admin rights are needed to write to recovery partition root | Better viewed as post-compromise persistence, not first entry |
| Patch status | Cyderes says no CVE and no patch | Public reporting is not fully aligned |
That last row needs care. Cyderes says there is no CVE and no patch for GreatXML. A separate supplied secondary summary lists CVE-2026-50507 for a BitLocker bypass. SecurityWeek does not mention a CVE. XOOMAR’s read: identifier status is unsettled in the public material, and defenders should wait for Microsoft’s own advisory to reconcile it.
Nightmare Eclipse is pressuring Microsoft’s security stack from multiple sides
GreatXML fits a pattern: the cluster is not only chasing Windows bugs, it is poking at products Microsoft positions as security guarantees. SecurityWeek says Nightmare Eclipse, also known as Chaotic Eclipse, has been dropping exploits for Windows zero-days after expressing discontent with Microsoft’s treatment of researchers in vulnerability disclosure programs.
The named set now includes BlueHammer, RedSun, UnDefend, GreenPlasma, YellowKey, RoguePlanet, and GreatXML in the supplied material. SecurityWeek reports that Microsoft has been scrambling to resolve publicly disclosed flaws, including BlueHammer, RedSun, and UnDefend, which have been exploited in attacks. It also says Microsoft patched GreenPlasma and YellowKey with the June 2026 Patch Tuesday updates.
GreatXML is different from malware that runs after login. It lives in the maintenance path. Cyderes says the planted files can survive password changes, loss of remote access, and OS reinstallation if the recovery partition is not addressed. That is the part incident responders should not miss.
The counterpoint is important: Cyderes also says writing to the recovery partition root requires administrator rights. That rules out a clean standard-user-to-BitLocker-bypass story. The risk is still serious because many real intrusions include moments where attackers briefly gain admin and then look for ways to survive cleanup.
Defenders need to inspect recovery partitions, not just rotate passwords
The immediate enterprise task is not panic. It is inventory and detection around WinRE and recovery-partition changes. Cyderes recommends watching for unattend.xml files written to the root of the recovery partition, especially outside Windows Update or legitimate recovery processes. It also calls out unexpected recovery partition modifications, newly created Recovery or WindowsRE directories, and Defender Offline Scans initiated from user-controlled processes.
XOOMAR analysis: teams should also review BitLocker policy for higher-risk users, including whether TPM plus PIN makes sense. The supplied research does not prove that TPM plus PIN blocks GreatXML. It does support the broader point that encryption depends on the full boot and recovery chain, not just the disk encryption setting.
The same logic applies to incident response. If GreatXML has been planted, reinstalling the main Windows partition may not be enough. Recovery partitions need inspection or rebuilding when a privileged Windows compromise is suspected.
Microsoft’s next move will define whether GreatXML stays niche or becomes a baseline check
The best evidence that GreatXML is contained would be a Microsoft advisory that narrows the affected state, clarifies the CVE question, and gives administrators a reliable mitigation path. A patch could land in Defender Offline Scan handling, WinRE behavior, answer-file validation, BitLocker exposure during recovery, or policy defaults. Public sources do not yet establish which layer Microsoft will target.
Researchers will now have a clear reason to probe other XML-driven and configuration-driven pieces of Windows recovery workflows. That does not mean adjacent flaws exist. It means GreatXML has pointed attention at a trusted pre-boot workflow that historically gets less day-to-day scrutiny than the running OS.
The practical watch item is narrow: look for Microsoft guidance, detection logic from security vendors, and confirmation of whether systems that never ran Defender Offline Scan are reachable through another path. If that no-prior-scan path fails, GreatXML remains a post-compromise persistence and physical-access problem. If it works, the risk profile gets much harder to contain.
Impact Analysis
- GreatXML suggests Windows recovery workflows can undermine BitLocker protections without breaking encryption itself.
- The exploit’s use of Microsoft Defender Offline Scan behavior raises concerns about trusted maintenance tools operating outside normal desktop safeguards.
- Public proof-of-concept release increases pressure on Microsoft and defenders to reassess recovery partition security.
Originally published on XOOMAR. For more news and analysis, visit XOOMAR.
Top comments (0)