Microsoft's bug-hunting nemesis extends vendetta with more zero-day attacks — Nightmare Eclipse publishes RoguePlanet and GreatXML local privilege escalation exploits

(Image credit: Getty Images)

Ever since appearing on the cybersecurity scene, Nightmare-Eclipse (aka Chaotic-Eclipse) has probably been the largest thorn in the side of the Microsoft Security Response Center. The long-running saga between Redmond and the disgruntled cybersecurity expert got a couple of new chapters this week, thanks to the release of the RoguePlanet and GreatXML exploits.RoguePlanet is probably the nastiest one, as it takes advantage of yet another vulnerability in Windows Defender to gain SYSTEM user access privileges, letting an attacker execute commands at a privilege level even higher than the standard Administrator. The practical mechanism is simple: just fool a user into running a script, and said script will get full access to the machine, granting the ability to syphon all data, keep exfiltration malware installed, or any other number of malicious activities.It's worth noting that RoguePlanet is dependent on a race condition seemingly between ISO mounting and Volume Shadow Copy, meaning that it's timing-based, and the exact conditions under which it can be triggered aren't guaranteed to happen every time in the victim machine. Eclipse themselves say that while they had a 100% success rate on certain installs, the exploit "struggled to work on others."They do remark that RoguePlanet operates on a fully patched Windows system that includes the recently released June 2026 update, and that they're fairly certain that Windows Server is likewise vulnerable, necessitating a redesign of the proof-of-concept code to work around the fact that users on Server editions can't mount ISOs by default.As for GreatXML, it's yet another BitLocker bypass. It's far less scary than YellowKey, as the exploit conditions are much more strict, but it's still somewhat of an egg-on-face moment for Microsoft. To run the bypass, an attacker needs to write a specially crafted "unattend.xml" and a "Recovery" directory to Windows' recovery partition. Then, if a Windows Defender Offline Scan is run or has been run in the past, rebooting into the recovery environment will open the BitLocker-protected drive just fine.The requirements are a pretty high bar to clear for an attacker, but the validity of the approach still raises questions about which backdoor-looking behaviors are still present in BitLocker and the Windows Recovery Environment (WinRE). Eclipse believes that it may be possible to trigger a Defender Offline Scan without logging in, but that's not a certain thing at this point. Having said that, it wouldn't be surprising if tomorrow they came up with a way to do just that.Given that Eclipse's spat with Microsoft has resulted in Redmond banning their GitHub account, the researcher has since moved their proof-of-concept to Church of Malware, a somewhat unrestricted community and code repository for exploits. Amusingly enough, though, a secondary GitHub account of theirs remains online.Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.The firm previously threatened legal action against Eclipse, too, but has since backed down. From their side, Eclipse had previously threatened to mass-disclose zero-day Windows vulnerabilities on July 14. They too have since then relented, stating that writing RoguePlanet took more time than expected, and that they may take a break and seemingly won't make the July 14 date the Windowspocalypse Day after all.