ctipilot.ch

GreatXML

trend · trend:greatxml-bitlocker-bypass-2026

GreatXML: Nightmare Eclipse unpatched BitLocker/WinRE bypass, public PoC

Coverage timeline
3
first 2026-06-12 → last 2026-06-14
Entries
3
2 distinct days
Sources cited
12
10 hosts
Sections touched
3
active-threats, weekly-looking-ahead, weekly-multi-day
Co-occurring entities
3
see Related entities below

Story timeline

  1. 2026-06-14Looking ahead — 2026-W24
    weekly-looking-aheadLooking ahead — 2026-W24
  2. 2026-06-14Chaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open
    weekly-multi-dayChaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open
  3. 2026-06-12"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested
    active-threats"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested

Where this entity is cited

  • active-threats1
  • weekly-multi-day1
  • weekly-looking-ahead1

Source distribution

  • bleepingcomputer.com3 (25%)
  • attack.mitre.org1 (8%)
  • edpb.europa.eu1 (8%)
  • enisa.europa.eu1 (8%)
  • github.blog1 (8%)
  • ncsc.admin.ch1 (8%)
  • security-hub.ncsc.admin.ch1 (8%)
  • securityweek.com1 (8%)
  • other2 (17%)

Related entities

All cited sources (12)

Entries about GreatXML (3)

2026-06-14 · view entry permalink →

Looking ahead — 2026-W24

notable outlook discovered 2026-06-14 23:57 UTC

A focused, justified list — items already in motion, not predictions.

  • G7 Évian summit, 15–17 June — pre-stage DDoS mitigations now. NCSC-CH's advisory explicitly names Swiss organisations as the hacktivist-DDoS target pool for the summit window (Évian sits on the Swiss border), consistent with the NoName057(16) pattern around past Swiss-adjacent summits. Confirm upstream scrubbing burst capacity, test CDN/anycast failover, and pre-position out-of-band NOC comms before Monday. MITRE ATT&CK T1498/T1499. (NCSC-CH G7 advisory)
  • GreatXML and RoguePlanet remain unpatched — watch MSRC for an out-of-band response. Two Chaotic Eclipse disclosures (GreatXML BitLocker bypass, RoguePlanet Defender SYSTEM EoP) have public PoCs and no fix after June Patch Tuesday closed three siblings; the researcher's cadence suggests more. Retain BitLocker PIN/TPM policy and monitor MSRC. (SecurityWeek — GreatXML; BleepingComputer — RoguePlanet; daily 06-12)
  • CRA 11 September reporting-platform milestone is now ~90 days out. ENISA's SBOM survey shows generation outpacing consumption; the window to build SBOM-ingestion into your vulnerability-management workflow before the reporting obligation begins is closing. (ENISA SBOM)
  • npm v12 will disable install scripts by default — audit CI/CD before July. GitHub's announced breaking change (preinstall/install/postinstall off by default, npm approve-builds required) is the single most effective structural mitigation against the Shai-Hulud/Atomic Arch install-time-execution kill chain, but it will break pipelines that rely on build scripts. Inventory affected pipelines now. (GitHub changelog; daily 06-12)
  • Acer Wave-7 mesh-router maximum-severity zero-days (CVE-2026-49200/-49201) still await a fix targeted for end-June. Cleartext-credential logging plus a hardcoded backup key, CVSS 10.0, no patch yet — track the firmware release and treat exposed Wave-7 management as compromised in the interim. (BleepingComputer; daily 06-08)
  • EDPB Article 33 harmonised-template consultation closes 5 August. Breach-response process owners with multi-jurisdiction obligations have a window to review and comment. (EDPB)
ddos global

2026-06-14 · view entry permalink →

Chaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open

high synthesis discovered 2026-06-14 23:57 UTC

This researcher's serialised zero-day disclosures have run across four weekly cycles, and this week brought both resolution and a fresh open wound. June Patch Tuesday (9 June) finally closed the three bugs the W20–W22 weeklies tracked as "expected fix in June": YellowKey (CVE-2026-45585, BitLocker bypass via the Windows Recovery Environment, physical access required), GreenPlasma (CVE-2026-45586, CTFMON elevation to SYSTEM), and MiniPlasma (a re-opened regression of CVE-2020-17103 in the Cloud Filter driver cldflt.sys), per the patch-day round-ups (BleepingComputer; Tenable).

But the cadence continued the same day. On 9 June the researcher published RoguePlanet, a TOCTOU race in the Microsoft Defender scan engine yielding a SYSTEM shell — hours after the patches landed, with no CVE and no fix (BleepingComputer; daily 06-11). Two days later came GreatXML, a BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested, still unpatched (SecurityWeek; daily 06-12). The trajectory: deploy the June cumulative update to close the three patched bugs, retain BitLocker PIN/TPM policy regardless, and keep monitoring MSRC — the fourth disclosure is the pattern, not the exception.

vulnerabilities zero-day lpe poc-public global

2026-06-12 · view entry permalink →

"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested

high threat discovered 2026-06-12 05:00 UTC

The researcher operating as Nightmare Eclipse (also tracked as Chaotic Eclipse) published GreatXML on 11 June — a working proof-of-concept that bypasses BitLocker full-volume encryption and spawns a SYSTEM command prompt inside the Windows Recovery Environment (WinRE), with no CVE assigned and no Microsoft patch available (SecurityWeek, 2026-06-11). The technique places a crafted unattend.xml at the root of the recovery partition plus a second malformed XML under Recovery/, then reboots into WinRE; the Microsoft Defender Offline scan path processes the attacker-controlled XML while the volume is unlocked. Per the researcher, "any Windows machine becomes vulnerable to GreatXML as soon as Defender's offline scanning is initiated" — i.e. the bypass arms itself once an offline scan has ever run on the host (SecurityWeek, 2026-06-11). Independent researcher Will Dormann disputes the practical severity, noting that triggering the prerequisite Defender Offline scan requires an existing Windows logon with admin credentials — an attacker in that position could already disable BitLocker outright (The Register, 2026-06-11). NCSC-CH is tracking the disclosure as part of the same researcher's zero-day series (BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, RoguePlanet — RoguePlanet covered 2026-06-11) (NCSC-CH CSH, 2026-06-11). Maps to T1542.001 (Pre-OS Boot) territory: code execution from the recovery path while the BitLocker-protected volume is mounted.

Why it matters to us: evil-maid and stolen-laptop scenarios against BitLocker-protected fleets get cheaper where an offline scan has previously run. Until a patch lands: audit recovery-partition contents for unexpected unattend.xml/ReAgent.xml modifications, require TPM+PIN pre-boot authentication on high-value mobile assets, and weigh reagentc /disable on machines where recovery capability is dispensable.

vulnerabilities zero-day auth-bypass poc-public no-patch global