Microsoft Condemns Uncoordinated Disclosure of Windows Zero-Day Exploits
Microsoft said multiple Windows zero-day vulnerabilities were publicly disclosed without prior coordination, exposing customers before patches or mitigations were ready. The company identified the flaws as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma, affecting components including Microsoft Defender and BitLocker, and said the releases undermined Coordinated Vulnerability Disclosure practices by giving attackers technical details and proof-of-concept material to weaponize. Microsoft said its security teams are assessing impact, developing updates, and continuing to accept reports through the Microsoft Security Response Center.
The disclosures were tied to researcher Chaotic Eclipse, also known as Nightmare-Eclipse, whose GitHub account was reportedly removed and whose GitLab account was later suspended after exploit tools were mirrored across platforms. Reports said BlueHammer (CVE-2026-33825) was patched in April and added to CISA’s Known Exploited Vulnerabilities catalog, while RedSun and UnDefend remained unpatched as of late May; Microsoft and outside researchers said BlueHammer, RedSun, and UnDefend were already being exploited in the wild, including in intrusions that began with compromised FortiGate VPN credentials and escalated through Defender flaws. The researcher has accused Microsoft of mishandling earlier communications and threatened another public release, deepening the dispute over vendor coordination and platform enforcement.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Researcher threatens another disclosure release for July 14
Reporting said Nightmare-Eclipse threatened or announced another disclosure event for 2026-07-14. The planned release was described as a further escalation in the dispute over Microsoft’s handling of vulnerability disclosures.
Microsoft patches Nightmare-Eclipse-disclosed CVE-2026-45586
Microsoft released a patch on 2026-06-09 for CVE-2026-45586, a high-severity Windows local privilege escalation zero-day in the Collaborative Translation Framework that had been publicly disclosed by Nightmare Eclipse. The same patch cycle also appeared to fix the researcher-disclosed MiniPlasma issue, although Microsoft did not explicitly confirm that in its advisory.
Microsoft clarifies it will not sue good-faith security researchers
In late May 2026, Microsoft issued a clarification after backlash over its earlier comments on Nightmare-Eclipse, saying it did not intend to pursue action against individuals conducting or publishing security research in good faith. The company said legal escalation would be reserved for unlawful, malicious activity that causes real harm to customers and reaffirmed its vulnerability disclosure portal and coordinated disclosure stance.
Microsoft threatens legal and law enforcement action against researcher
Microsoft publicly criticized Nightmare Eclipse for releasing unpatched vulnerability details and exploit code, and warned that its Digital Crimes Unit could pursue legal action and coordinate with law enforcement. The warning escalated the dispute over the researcher’s disclosures beyond Microsoft’s earlier public criticism.
GitHub and GitLab suspend Nightmare-Eclipse accounts
In May 2026, the researcher Nightmare-Eclipse was suspended by GitHub and GitLab after publicly releasing and mirroring Windows zero-day exploit tools. Separate reporting said GitHub removed the account first and a subsequent GitLab account was also blocked.
CISA adds BlueHammer to Known Exploited Vulnerabilities catalog
After BlueHammer was patched, it was added to CISA’s Known Exploited Vulnerabilities catalog. This reflected official recognition that the flaw had been exploited in the wild.
Microsoft patches BlueHammer vulnerability
BlueHammer, tracked as CVE-2026-33825, was patched by Microsoft in April 2026. The same reporting said RedSun and UnDefend remained unpatched as of May 2026.
Microsoft says uncoordinated zero-day disclosures increased customer risk
On 2026-05-27, Microsoft said several zero-day vulnerabilities, including RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma, had been publicly disclosed without prior coordination. The company said it was investigating impact, protecting customers, and developing security updates while reaffirming coordinated vulnerability disclosure practices.
Huntress reports active exploitation of released Defender exploits
By 2026-04-10, Huntress Labs reported active exploitation of BlueHammer, RedSun, and UnDefend in the wild. The activity included attackers entering through compromised FortiGate VPN credentials and then using Defender exploits for privilege escalation.
Researcher begins public Windows exploit release campaign
The public release campaign by the researcher known as Nightmare-Eclipse reportedly began on 2026-04-02 after dissatisfaction with Microsoft Security Response Center handling of disclosures. The campaign included BlueHammer, RedSun, and UnDefend exploit tools targeting Microsoft Defender.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
17 references tracked. Mallory keeps watching after this page renders.
Locked in heated rivalry with researcher, Microsoft fixes 0-day they disclosed - Ars Technica
arstechnica.com
Open sourceNightmare Eclipse incident shows the researcher-vendor fights may never fully go away | CyberScoop
cyberscoop.com
Open sourceВ Microsoft заявили, что не будут преследовать исследователей за публикацию 0-day-эксплоитов - Хакер
xakep.ru
Open sourceMicrosoft denies legal action against researchers after slamming BlueHammer publisher | news | SC Media
scworld.com
Open sourceMicrosoft Warns Public Release of Zero-Day Details Before Vendor Coordination
cybersecuritynews.com
Open sourceMicrosoft 0-day feud escalates as researcher threatens another Windows exploit dump
theregister.com
Open sourceGitLab Suspends Windows Exploit Researcher Nightmare-Eclipse After GitHub Ban
cybersecuritynews.com
Open sourceA shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure
microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
BlueHammer Windows Defender Zero-Day Led to Public Exploit Release and Active Attacks
A security researcher using the aliases **Chaotic Eclipse** and **Nightmare-Eclipse** publicly released working GitHub exploit code for **BlueHammer**, an unpatched Windows local privilege escalation flaw tied to Microsoft Defender’s signature update process. Independent testing by Will Dormann and others found the exploit worked, though reliability varied by platform and configuration. The attack abuses a **TOCTOU** race condition and path confusion in Defender’s update workflow, chaining components such as **VSS**, the **Cloud Files API**, and opportunistic locks to expose protected registry hives including `SAM`, `SYSTEM`, and `SECURITY`, extract NTLM password hashes, and potentially elevate a low-privileged user to **NT AUTHORITY\SYSTEM**. Microsoft initially responded with a Defender detection signature for the published proof of concept, but researchers warned that signature-based blocking did not address the underlying logic flaw. The issue was later tracked as **`CVE-2026-33825`** and patched by Microsoft on April 14, after which **CISA** ordered U.S. federal civilian agencies to remediate it within two weeks and added it to the **Known Exploited Vulnerabilities** catalog. Huntress reported the vulnerability was being used in zero-day intrusions involving hands-on-keyboard activity, and follow-on tooling such as **BlueSAM** showed how quickly the public disclosure was adapted for offensive use.
Jun 9, 2026
Microsoft Defender Zero-Days RedSun and UnDefend Exploited Before Emergency Fixes
Microsoft issued out-of-band updates for two Microsoft Defender zero-days, **RedSun** (`CVE-2026-41091`) and **UnDefend** (`CVE-2026-45498`), after both flaws were exploited in the wild. RedSun is a local privilege escalation vulnerability that can grant attackers `SYSTEM` privileges by abusing Defender’s handling of malicious files with cloud tags and related Cloud Files behavior, while UnDefend is a denial-of-service flaw that can disrupt Defender signature updates. The bugs affected older versions of the Microsoft Malware Protection Engine and Microsoft Defender Antimalware Platform, and Microsoft said patched engine and platform releases are generally delivered automatically.
Jun 8, 2026
Microsoft patches 200 flaws as BitLocker zero-day and Defender RoguePlanet emerge
Microsoft released its largest Patch Tuesday update on record, fixing **200 vulnerabilities** across Windows, Office, Azure, Exchange Server, .NET Framework, Hyper-V, Remote Desktop Services, and `HTTP.sys`, including **33 critical flaws** and three publicly disclosed zero-days. The disclosed issues include **`CVE-2026-50507`**, a BitLocker security feature bypass that can let an attacker with physical access recover data from affected Windows devices; **`CVE-2026-49160`**, an HTTP/2 denial-of-service flaw affecting IIS and services built on `HTTP.sys`; and **`CVE-2026-45586`**, a Windows `CTFMON` privilege-escalation bug that can give a logged-in attacker **SYSTEM** privileges. Researchers also highlighted **`CVE-2026-45657`**, a wormable Windows kernel use-after-free vulnerability rated **CVSS 9.8** that could enable remote, unauthenticated code execution as SYSTEM. At the same time, security researcher Nightmare Eclipse publicly released **RoguePlanet**, a separate unpatched Microsoft Defender zero-day exploit that reportedly works on fully updated Windows 10 and Windows 11 systems by abusing a race condition to spawn a **SYSTEM-level** shell, though reports say it is unreliable and does not currently work on Windows Server in its present form. The BitLocker flaw was disclosed before patches were available and is considered more likely to be exploited, with particular concern for **TPM-only** deployments because possession of a device may be enough to access protected data. Defenders were urged to rapidly deploy the June cumulative updates, prioritize internet-facing Windows and IIS systems, verify patch compliance, review BitLocker configurations, consider **TPM+PIN**, and monitor endpoint telemetry for suspicious privilege escalation and activity tied to mounted ISO images.
Jun 10, 2026