Nightmare-Eclipse Drops Two More Windows Zero-Days

Key Takeaways

• RoguePlanet exploits Windows Defender to gain SYSTEM-level privileges on fully patched Windows systems
• GreatXML bypasses BitLocker encryption by manipulating the Windows Recovery Environment
• Microsoft has banned Nightmare-Eclipse's GitHub account, but the researcher continues publishing exploits elsewhere

Nightmare-Eclipse, the pseudonymous security researcher who has become Microsoft's most persistent critic, published two new zero-day exploits this week. The releases bring the researcher's total to eight high-severity Windows vulnerabilities disclosed without coordination with Microsoft.

The conflict between Nightmare-Eclipse (also known as Chaotic-Eclipse) and Microsoft's Security Response Center has escalated since the researcher claims to have received zero bug bounty payments despite finding critical flaws. Microsoft has responded by banning the researcher's GitHub account, forcing them to publish proof-of-concept code through alternative channels.

RoguePlanet: Defender Becomes the Attack Surface

The more dangerous of the two exploits, RoguePlanet, targets Windows Defender itself. The attack grants SYSTEM-level access, which sits above standard Administrator privileges. Once an attacker reaches SYSTEM, they can execute any command, install persistent malware, and extract data without restriction.

The exploit mechanism requires a user to run a script. From there, RoguePlanet triggers a race condition between ISO mounting and Volume Shadow Copy. Because the attack depends on timing, it doesn't succeed on every attempt. Nightmare-Eclipse reports a 100% success rate on some Windows installations while the exploit "struggled to work on others."

“The exploitation of Microsoft Defender's own remediation logic highlights a dangerous feedback loop where our protective measures become our biggest attack surfaces.”

— Dr. Aris Thorne, Cybersecurity Researcher

RoguePlanet works on fully updated Windows systems, including those with the June 2026 patch. The researcher believes Windows Server is also vulnerable but notes that the proof-of-concept would need modification since Server editions don't allow users to mount ISOs by default.

GreatXML: Another BitLocker Bypass

The second exploit, GreatXML, adds to a growing list of BitLocker bypasses from this researcher. It's less severe than the earlier YellowKey exploit because the requirements are stricter.

To execute GreatXML, an attacker must write a specially crafted "unattend.xml" file and a "Recovery" directory to the Windows recovery partition. If a Windows Defender Offline Scan has been run (or is run afterward), rebooting into the recovery environment opens the BitLocker-protected drive without authentication.

The bar is high. An attacker needs write access to the recovery partition, which typically requires either physical access or prior compromise of the system. Still, the existence of this bypass raises questions about undocumented behaviors in BitLocker and the Windows Recovery Environment.

Nightmare-Eclipse suggests it may be possible to trigger a Defender Offline Scan without logging in, which would lower the attack requirements. They haven't demonstrated this yet.

The Ongoing Conflict with Microsoft

The researcher's campaign against Microsoft started after what they describe as repeated dismissal by the Microsoft Security Response Center. Having received no bug bounty payments despite submitting multiple critical vulnerabilities, Nightmare-Eclipse shifted to full public disclosure.

“This isn't just about finding bugs anymore; this is a systematic demonstration of the fragility of modern security response when communication breaks down.”

— Sarah Jenkins, Lead Security Analyst at CyberIntel Solutions

Microsoft's response has been to ban the researcher's accounts rather than engage. This has pushed proof-of-concept code to less centralized platforms, making takedowns harder while ensuring the exploits remain accessible to anyone looking for them.

Security Community Reaction

The security community remains divided. On Reddit's r/netsec and r/cybersecurity, some admire the technical skill and frame this as a David vs. Goliath story. Others condemn the approach as irresponsible disclosure that puts millions of Windows users at immediate risk.

HackerNews discussions have focused on the failure of corporate bug bounty programs to incentivize ethical research. Several commenters argue that this "vendetta" is a predictable outcome when companies undervalue the researchers finding their most critical bugs.

What Users Can Do

For RoguePlanet, the primary defense is avoiding unknown scripts. Since the exploit requires user execution, standard security hygiene applies. Don't run scripts from untrusted sources, and be skeptical of ISO files from unfamiliar origins.

GreatXML's requirements are strict enough that most users face minimal risk unless an attacker already has significant access to their system. Enterprise administrators should audit access to recovery partitions and monitor for unauthorized modifications.

Microsoft has not yet issued patches for either vulnerability. Given the public nature of the disclosures, patches may arrive in a future security update, though Microsoft hasn't commented on timing.

Frequently Asked Questions

What is the RoguePlanet exploit?

RoguePlanet is a local privilege escalation exploit that abuses a race condition in Windows Defender to gain SYSTEM-level access on fully patched Windows systems.

Does GreatXML work on all BitLocker-protected systems?

No. GreatXML requires write access to the recovery partition and depends on a Windows Defender Offline Scan being run, making it harder to exploit than previous BitLocker bypasses.

Has Microsoft patched these vulnerabilities?

No patches have been released as of this writing. Microsoft has not publicly commented on timelines for addressing either exploit.

Who is Nightmare-Eclipse?

Nightmare-Eclipse (also called Chaotic-Eclipse) is a pseudonymous security researcher who has released eight high-severity Windows zero-days after claiming Microsoft's bug bounty program paid them nothing.

Source: Latest from Tom's Hardware