Microsoft has hit back after a disgruntled security researcher published proof of concept hacks for six zero-day vulnerabilities in its products without sharing details with Redmond prior to release, saying they had put its customers at “unnecessary risk”.
Perceived by some as a malicious actor and by others as a Robin Hood-like cyber hero, the researcher, known to the community as Nightmare Eclipse among other related handles, appears to be motivated by personal grievance towards Microsoft.
Their identity has not been made public but Computer Weekly understands that within the past few days they have been banned from code repositories GitHub and GitLab. They have threatened further disclosures, telling onlookers to mark 14 July in their diaries.
Microsoft said that every year, it works with hundreds of security researchers through established Coordinated Vulnerability Disclosure (CVD) processes, an industry standard set of best practices that enable ethical hackers to share their findings with suppliers to enable them to address the issue prior to disclosure.
In theory, but not always, this process is designed to ensure that patches can be issued before proof-of-concept code gets into the hands of threat actors, and fairly compensate and recognise researchers, something Nightmare Eclipse disputes.
However, said Microsoft, the vulnerabilities uncovered by Nightmare Eclipse, known as BlueHammer, GreenPlasma, MiniPlasma, RedSun, UnDefend and YellowKey, were not responsibly disclosed but rather unleashed on the world without warning over the past few weeks, leaving its teams unprepared and running to catch up.
“In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates,” said Microsoft.
“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences.”
Microsoft said that while it invited diverse perspectives and recognised that it will not always agree with independent researchers on everything, it was “committed to transparency” and wanted to continue to create more opportunities for dialogue with the wider community.
Microsoft said: “Our team will continue to support responsible research as we do everything we can to quickly investigate, address, and release updates for vulnerabilities that impact our customers. We always have and will continue to welcome vulnerability submissions from anyone through our public researcher portal, regardless of past interactions or reputation.”
Vulnerability management
As of 28 May, four of the six flaws released by Nightmare Eclipse have been assigned Common Vulnerability and Exposure (CVE) designations. These are, in numerical order:
- CVE-2026-33825, also known as BlueHammer, an elevation of privilege (EoP) vulnerability in Windows Defender that enables an attacker with normal user level access to escalate to system-level privileges – note Microsoft has credited this flaw to two other researchers;
- CVE-2026-41091, also known as RedSun, another EoP flaw in Windows Defender that also enables system-level execution rights;
- CVE-2026-45498, also known as UnDefend, a denial of service (DoS) vulnerability in Windows Defender, that arises from an uncontrolled resource consumption issue and enables an attacker with elevated access to avoid detection by interfering with Defender’s operation;
- CVE-2026-45585, also known as YellowKey, a security feature bypass (SFB) vulnerability in Windows BitLocker, that could enable an attacker with physical access to their target’s system to access data on drives protected by certain BitLocker configurations.
Meanwhile, GreenPlasma, an EoP vulnerability in Windows BitLocker, is yet to be assigned a CVE designation, while MiniPlasma bypasses CVE-2020-17103, a previously patched EoP flaw in Windows Cloud Filter driver.
A changing world
While Nightmare Eclipse’s actions are generally agreed to be inappropriate and highly irresponsible, many members of the cyber community have pointed out that the traditional CVD process is starting to break down.
John Carberry is chief marketing officer and solution sleuth at Xcape, a Los Angeles-based managed security services provider (MSSP). He described an “escalating war of attrition” between ethical hackers and enterprise suppliers.
“This friction points to a deeper systemic breakdown. The security research community is clearly growing frustrated with vendor triage timelines, a bottleneck that has become critical given that Microsoft is already drowning in an engineering workload, evidenced by a massive 138-CVE patch cycle this month alone,” said Carberry.
He added: “The current standoff proves that the traditional model of coordinated vulnerability disclosure is buckling under its own weight, leaving enterprise security teams stuck in the crossfire between impatient researchers and overextended software vendors.”
Jacob Krell, senior director of secure AI solutions and cyber security at Suzu Labs, described CVD as a shared obligation and went to far as to recognise some of the reasoning behind Nightmare Eclipse’s grievances. He noted that given Microsoft generates hundreds of billions of dollars every year, it was unreasonable to expect researchers to subsidise its product security for free.
He also criticised Microsoft more directly, saying: “Six vulnerabilities across core Windows components including Defender and BitLocker that reached production represent a vendor engineering failure. These flaws should never have shipped. Vendors who ask for coordination must also invest in responsive triage and the development rigour that prevents this.”
Added Krell: “The traditional 90 day embargo was designed for a slower world. AI has compressed vulnerability discovery timelines so dramatically that 90 days is enough time for an entirely new frontier model to be deployed and pointed at the same code base. Microsoft has patched over 500 CVEs in the first five months of 2026 alone.
“That volume is a signal that product security posture across the ecosystem is weaker than the market assumes,” he warned.
Next steps
When somebody chooses to drop working exploit code for vulnerabilities in core enterprise IT products directly to the public, they are in effect giving the entire internet an immediate and unauthenticated pass into corporate networks. The zero-days disclosed by Nightmare Eclipse are known to be under active exploitation, so security leaders need to pay attention.
“Security executives cannot afford to wait around for vendor patches to slowly wind their way through QA and deployment pipelines,” said Xcape’s Carberry.
“They must establish an aggressive, internal mitigation capability that treats uncoordinated disclosures as immediate, active incidents, forcing them to deploy temporary configuration workarounds and hyper-specific EDR detection rules the moment a flaw hits GitHub, long before the official automated fix arrives on a future Patch Tuesday.”
