In a striking development within the cybersecurity landscape, the notorious zero-day vulnerability researcher known as Nightmare Eclipse has unveiled yet another exploit, dubbed GreatXML. Released late Wednesday, this new vulnerability reportedly allows for unrestricted access to BitLocker volumes, a feature integral to Windows security. According to Nightmare, the discovery was made in a mere four hours and is said to bypass BitLocker on any system that has previously run a Microsoft Defender Offline scan.
This latest release follows closely on the heels of another exploit, RoguePlanet, which grants local privilege escalation and SYSTEM-level control over affected machines. With this addition, Nightmare Eclipse now boasts a total of eight zero-day vulnerabilities, including earlier discoveries such as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma—all of which received patches during this week’s Patch Tuesday event.
In response to the growing concerns, Microsoft acknowledged the existence of RoguePlanet and stated that it is “actively investigating the validity and potential applicability of these claims.” However, the tech giant has yet to comment on GreatXML or provide a timeline for a patch. Notably, Microsoft has indicated that none of these vulnerabilities were reported through its official channels prior to their public disclosure. Following the release of previous exploits, Microsoft had even taken the step of banning Nightmare’s GitHub account and hinted at potential legal action, a move that was met with significant backlash from the security community.
MORE CONTEXT
Nightmare Eclipse, rumored to be a former Microsoft employee, appears to have a personal vendetta against the company, particularly regarding its communication with security researchers. The researcher has vowed to continue releasing zero-day vulnerabilities, though the timing of these disclosures remains uncertain. In a previous statement, Nightmare had promised a substantial release on July 14, declaring, “I will make sure your bones are shattered that day.” However, this sentiment shifted as the researcher later indicated that the effort required for RoguePlanet had been unexpectedly taxing, leading to a potential hiatus from mass disclosures.
Despite the initial claims of a planned release, Nightmare surprised the community with the “accidental” unveiling of GreatXML just a day later. The process to exploit this vulnerability involves copying specific files, such as “unattend.xml” and the “Recovery” directory, to the root of the recovery partition. Following this, users must reboot into Windows Recovery Environment (WinRE) by using a Shift-click restart. If executed correctly, this procedure should spawn a command prompt with unrestricted access to the BitLocker volume.
However, security expert Will Dormann has raised questions about the practicality of the GreatXML exploit. After attempting to replicate the process, Dormann noted that the command prompt only appeared during a Microsoft Defender Offline scan, which requires users to be logged into Windows with administrative credentials. He pointed out that if a user already possesses such access, they could simply disable BitLocker directly. Furthermore, Dormann criticized the writeup for GreatXML, suggesting that the prerequisites outlined by Nightmare do not align with the actual functionality of Windows 11 systems he tested.
