Microsoft Under Fire as Researcher “Nightmare-Eclipse” Drops Six Windows Zero-Days Without Warning

Microsoft Under Fire as Researcher “Nightmare-Eclipse” Drops Six Windows Zero-Days Without Warning

A months-long feud between Microsoft and an anonymous security researcher has exposed deep fractures in the coordinated vulnerability disclosure system — and left Windows users scrambling to patch critical flaws before attackers could exploit them.

Beginning in April 2026, an anonymous security researcher operating under handles including Chaotic Eclipse, Nightmare-Eclipse, and Dead Eclipse began publicly releasing proof-of-concept (PoC) exploit code for a series of unpatched vulnerabilities affecting core Microsoft Windows components — without first notifying the company. The move set off one of the most dramatic and widely debated vulnerability disclosure disputes the cybersecurity industry has seen in years.

In total, six vulnerabilities were disclosed: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma. Three of them — BlueHammer, RedSun, and UnDefend — had been weaponized by real-world attackers by the time Microsoft could respond, and CISA subsequently added several to its Known Exploited Vulnerabilities (KEV) catalog.

The disclosures span a range of Windows components, with the most serious flaws targeting Microsoft Defender — the default antivirus engine embedded in all modern versions of Windows — and BitLocker, the full-disk encryption feature built into Windows 10, Windows 11, and Windows Server.

BlueHammer is particularly notable: it exploits a time-of-check/time-of-use (TOCTOU) race condition in Defender’s signature update workflow, allowing an unprivileged local user to obtain SYSTEM-level privileges and access the Security Account Manager (SAM) database. Because Defender is installed and trusted by default on every modern Windows machine, the attack surface is enormous.

Security researchers and analysts have emphasized that the disclosures did not appear to be random acts of malice. Rather, Nightmare-Eclipse has publicly stated specific grievances against Microsoft: the company allegedly deleted the MSRC (Microsoft Security Response Center) account they used to submit bug reports, cutting off their access to their own prior submissions, and refused to pay bounties they believed they had earned.

The researcher’s identity has not been publicly confirmed. They have used multiple aliases across platforms and are described by some in the security community as a malicious actor, while others view them more sympathetically as a researcher pushed to the edge by a large corporation’s unresponsive disclosure process. Industry observers have consistently cautioned against treating the episode as straightforwardly criminal, noting that the frustration Nightmare-Eclipse describes is widely recognized among professional vulnerability researchers.

• April 2, 2026 Nightmare-Eclipse publishes the first PoC exploit for BlueHammer (CVE-2026-33825) on GitHub, with a warning that more disclosures would follow if Microsoft did not respond.
• April–May 2026 Five additional exploits — RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma — are released in rapid succession. Attackers begin using BlueHammer, RedSun, and UnDefend in real-world intrusions, as confirmed by threat intelligence firm Huntress.
• May 23, 2026 GitHub terminates Nightmare-Eclipse’s account, removing the primary hosting location for the exploits. The researcher moves the code to GitLab.
• May 26, 2026 GitLab bans the newly created account as well, cutting off the researcher’s main public platforms.
• May 27, 2026 Microsoft’s Security Response Center (MSRC) publishes a formal blog post condemning the disclosures as “irresponsible” and suggesting it would coordinate with its Digital Crimes Unit and law enforcement — language widely interpreted as a threat of criminal prosecution.
• May 28, 2026 Nightmare-Eclipse pledges a further, larger release of Windows exploit details, telling the security community to “mark July 14 in their diaries” — the date of Microsoft’s next Patch Tuesday.
• June 1, 2026 Microsoft walks back its legal threat in a post on X, clarifying it has “no intention to pursue action against individuals conducting or publishing their security research,” while adding a caveat about criminal activity causing real harm to customers.

In its May 27 statement, the Microsoft Security Response Center named all six vulnerabilities and defended the principle of Coordinated Vulnerability Disclosure (CVD) — an industry-standard framework under which researchers share vulnerability details privately with vendors, allowing patches to be developed before public disclosure. Microsoft has operated a formal CVD program since 2010.

The company stated its security teams had been working continuously to assess the impact, protect customers, and develop patches. It reaffirmed its commitment to accepting vulnerability reports through its public portal “regardless of past interactions or reputation” — a notable line given the context of the dispute — and acknowledged that “some interactions have fallen short” without directly addressing Nightmare-Eclipse’s specific allegations.

Microsoft’s initial statement — particularly the reference to its Digital Crimes Unit and law enforcement — triggered significant backlash from security researchers and industry organizations. Many argued that threatening criminal action against bug hunters, even those who disclose without coordination, would create a chilling effect on vulnerability research and push researchers to sell their findings to zero-day brokers or nation-state actors rather than report them to vendors.

Collin Hogue Spears, senior director at Black Duck, described the incident as “a breakdown in coordinated vulnerability disclosure, not random vandalism,” and called for Microsoft to invest in a disclosure channel that offers researchers faster, clearer responses and bounty decisions. Jacob Krell of Suzu Labs noted that “six vulnerabilities across core Windows components including Defender and BitLocker that reached production represent a vendor engineering failure” and that the traditional 90-day disclosure embargo “was designed for a slower world” — one that no longer exists given how AI has accelerated vulnerability discovery timelines.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, offered a measured take: “Customers will be affected by these disclosures, even if it means they have to engage their emergency patch process instead of getting exploited. I’m not sure what it will take for Microsoft to get this person to disclose their bugs privately, but clearly, they need to work on their outreach skills.”

With Nightmare-Eclipse having publicly threatened additional disclosures on July 14, 2026 — Microsoft’s next Patch Tuesday — security teams across the industry are on alert. CISA has already added CVE-2026-33825 (BlueHammer), CVE-2026-41091 (RedSun), and CVE-2026-45498 (UnDefend) to its Known Exploited Vulnerabilities catalog, and has urged Windows administrators to apply all available patches immediately.

Organizations running Windows 10, Windows 11, or Windows Server 2016 through 2026 are advised to ensure Windows Update is current on all endpoints, brief incident response teams about the July 14 timeline, and monitor MSRC advisories closely in the coming weeks.

At a broader level, this episode has reignited long-standing debates about the fairness and durability of coordinated disclosure frameworks — particularly for independent researchers who lack the institutional backing of large security firms. Whether Microsoft takes concrete steps to improve its researcher relations, or whether Nightmare-Eclipse follows through on further disclosures, the outcome will likely shape vulnerability disclosure norms for years to come.