Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: defender (4 articles)Clear

New unpatched GreatXML exploit bypasses Windows BitLocker encryption

The researcher known as Nightmare Eclipse has published a second unpatched Windows exploit in two days, this one defeating BitLocker disk encryption. Called GreatXML, it abuses the Windows Defender Offline Scan feature: any machine that has ever run an offline scan is left permanently vulnerable. An attacker with physical access copies a crafted unattend.xml file and a Recovery folder to the recovery partition, reboots into the Windows Recovery Environment with Shift plus Restart, and gets a privileged shell with full access to the encrypted drive, no login needed. Proof-of-concept code is public on GitHub, there is no patch yet, and Microsoft says it is investigating.

Check
Identify Windows devices protected only by BitLocker without a startup PIN, especially laptops that travel, and check whether Windows Defender Offline Scan has ever been run on them.
Affected
Windows devices using BitLocker where a Defender Offline Scan has run at least once; an attacker with physical access to the machine can reach the encrypted volume. No patch yet.
Fix
Require a TPM-plus-PIN or startup password for BitLocker so pre-boot recovery cannot be abused, restrict physical access to devices, and watch for a Microsoft fix to apply once released.

Unpatched Defender zero-day RoguePlanet gives SYSTEM on current Windows

Hours after Patch Tuesday, the researcher known as Nightmare Eclipse published a working exploit, dubbed RoguePlanet, for an unpatched Microsoft Defender flaw that opens a command prompt with full SYSTEM privileges on fully updated Windows 10 and 11. The bug is a race condition, so the exploit is hit or miss, but the researcher reports a 100 percent success rate on some machines. They posted the proof-of-concept on a self-hosted Git server after Microsoft had earlier taken down their GitHub and GitLab repositories. It is the latest in a string of Windows zero-days (BlueHammer, RedSun, YellowKey, GreenPlasma) the researcher has released in protest of Microsoft's disclosure practices.

Check
Confirm Microsoft Defender real-time and tamper protection are enabled and current on Windows 10 and 11 endpoints, and watch for unexpected SYSTEM-level command shells spawned from Defender processes.
Affected
Fully patched Windows 10 and Windows 11 systems, including current and Canary builds, running Microsoft Defender; a public proof-of-concept exists and no fix is available yet.
Fix
No patch exists yet; watch for a Microsoft advisory and apply it when released. Meanwhile, rely on EDR behavioral detection and least-privilege controls to limit privilege-escalation impact.

Microsoft Defender for Endpoint adds automatic device isolation as part of automatic attack disruption (preview)

Microsoft has rolled out a preview of automatic device isolation in Microsoft Defender for Endpoint as part of its automatic attack disruption feature. When Defender detects a compromised endpoint, it now disconnects the device from the network without operator action, while preserving the Defender management channel so the host can still be monitored, investigated, and released. Security teams can release a device from containment after triage via 'Release from isolation' on the Device inventory or device page. The feature works only on onboarded end-user workstations. It joins earlier preview controls for blocking traffic to unmanaged endpoints and isolating compromised user accounts.

Check
Review Defender for Endpoint Action Center preview features in the Microsoft 365 Defender portal. Confirm automatic device isolation is enabled for high-risk endpoint groups.
Affected
Organizations relying on Defender for Endpoint where manual response to compromise alerts has historically been slow enough to allow lateral movement or data exfiltration.
Fix
Enable automatic device isolation in preview. Define release-from-isolation runbooks. Pair with automatic user-account isolation already available. Document operator override procedures for false positives.

Microsoft Defender zero-days CVE-2026-41091 (SYSTEM LPE) and CVE-2026-45498 (DoS) exploited in attacks, added to CISA KEV

Microsoft has rolled out fixes for two Defender vulnerabilities that have been exploited in zero-day attacks. CVE-2026-41091 is a link-following local privilege escalation in Microsoft Malware Protection Engine 1.1.26030.3008 and earlier that lets attackers gain SYSTEM. CVE-2026-45498 affects Defender Antimalware Platform 4.18.26030.3011 and earlier and triggers denial-of-service. Updates land automatically in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. CISA has added both to its KEV catalog and ordered FCEB agencies to patch within two weeks, by June 3. The same KEV update also added five legacy 2008-2010 Internet Explorer, DirectX, Acrobat, and Windows bugs that CISA suggests are seeing fresh exploitation.

Check
Open Windows Security > Virus & threat protection > Protection Updates and click Check for updates. Verify Antimalware Platform >= 4.18.26040.7 and Malware Protection Engine >= 1.1.26040.8.
Affected
Windows endpoints running Microsoft Malware Protection Engine 1.1.26030.3008 and earlier, or Defender Antimalware Platform 4.18.26030.3011 and earlier. Default config auto-updates, but air-gapped or restricted networks may lag.
Fix
Confirm Defender definitions and platform updates auto-install. FCEB agencies must patch by June 3 per CISA BOD 22-01. Investigate any KEV-listed legacy CVE-2008-4250/2009-1537/2009-3459/2010-0249/2010-0806 hits.