The researcher known as Nightmare Eclipse has published a second unpatched Windows exploit in two days, this one defeating BitLocker disk encryption. Called GreatXML, it abuses the Windows Defender Offline Scan feature: any machine that has ever run an offline scan is left permanently vulnerable. An attacker with physical access copies a crafted unattend.xml file and a Recovery folder to the recovery partition, reboots into the Windows Recovery Environment with Shift plus Restart, and gets a privileged shell with full access to the encrypted drive, no login needed. Proof-of-concept code is public on GitHub, there is no patch yet, and Microsoft says it is investigating.
Microsoft has assigned CVE-2026-45585 and shipped mitigation guidance for YellowKey, a Windows BitLocker bypass that anonymous researcher 'Nightmare Eclipse' disclosed last week with a working PoC. The attack places crafted FsTx files on a USB drive or EFI partition, reboots into WinRE, and holds CTRL during boot to drop into a shell with full access to BitLocker-protected drives. Microsoft says no patch is available yet. Mitigations include removing the autofstx.exe entry from Session Manager's BootExecute and reconfiguring BitLocker to require TPM+PIN at startup. Nightmare Eclipse is the same researcher who recently dropped BlueHammer, RedSun, GreenPlasma, UnDefend, and MiniPlasma.
A researcher who calls themselves Chaotic Eclipse - and who has weaponized every prior Windows flaw they have leaked this year - dropped working proof-of-concept code for two unpatched zero-days on May 12. YellowKey lets anyone with physical access to a Windows 11 or Server 2022/2025 machine plug in a USB stick, hold CTRL during a reboot into the Windows Recovery Environment, and get a shell with full access to the BitLocker-protected drive. GreenPlasma is a privilege escalation against the CTFMON service that hands an unprivileged user a path to SYSTEM. Independent researchers including Will Dormann and Kevin Beaumont have confirmed that YellowKey works as advertised.