Microsoft Faces Backlash Over Zero-Day Exploits by Disgruntled Researcher
Severity: High (Score: 69.9)
Sources: doublepulsar.com, Ground.News, Gadgetreview, Uk.Pcmag, Securityaffairs.Co
Published: · Updated:
Keywords: microsoft, disgruntled, researcher, cybersecurity, hunter, against, windows
Severity indicators: bug, gru
Summary
A researcher known as Nightmare Eclipse has publicly disclosed six unpatched Windows zero-day vulnerabilities, including critical flaws like BlueHammer, RedSun, and UnDefend. Microsoft has threatened legal action against the researcher for not following the Coordinated Vulnerability Disclosure (CVD) process, which aims to give companies time to patch vulnerabilities before public disclosure. The vulnerabilities are actively being exploited in the wild, leading to significant security risks for enterprises. Nightmare Eclipse has promised a 'bone shattering' release of additional exploits on July 14, further escalating tensions. Microsoft has publicly condemned the uncoordinated disclosures, stating they could harm customers and the digital ecosystem. The cybersecurity community is divided, with some supporting the researcher’s actions as a means to pressure Microsoft into better practices. The situation highlights ongoing issues in vulnerability disclosure and the relationship between researchers and large tech companies. Key Points: • Nightmare Eclipse has disclosed six unpatched Windows zero-days, including BlueHammer and RedSun. • Microsoft has threatened legal action against the researcher for uncoordinated vulnerability disclosures. • Three of the disclosed vulnerabilities are actively exploited in ransomware attacks.
Detailed Analysis
**Impact** Multiple enterprises worldwide are affected by active exploitation of three unpatched Windows zero-day vulnerabilities—BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498)—leading to ransomware attacks and privilege escalation. The rapid weaponization of these flaws has compressed the patching window from days to hours, causing significant operational disruption across sectors relying on Windows infrastructure. Additional vulnerabilities such as YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma remain unpatched, with YellowKey flagged by Microsoft as having a high likelihood of exploitation, further increasing risk to encrypted data protected by BitLocker. **Technical Details** The exploited zero-days target Windows components including Defender and BitLocker, with attack vectors involving privilege escalation and bypass of encryption protections. Proof-of-concept exploit code for all six vulnerabilities was publicly released by the researcher known as Nightmare Eclipse on GitHub and GitLab before patches were available. BlueHammer, RedSun, and UnDefend are actively exploited in the wild, with attackers chaining exploits to blind Defender and deploy ransomware. The researcher’s disclosures include CVE identifiers: CVE-2026-33825, CVE-2026-41091, CVE-2026-45498, CVE-2026-45585, and others linked to older vulnerabilities (e.g., CVE-2020-17103). No specific IOCs or infrastructure details were provided in the sources. **Recommended Response** Apply all available patches released since April 2026 immediately, prioritizing updates addressing BlueHammer, RedSun, and UnDefend vulnerabilities. Monitor for abnormal behavior in Microsoft Defender and review BitLocker configurations, especially TPM-only setups, for potential bypass attempts. Deploy detection rules for known exploit techniques related to privilege escalation and ransomware deployment associated with these zero-days. Maintain heightened vigilance for new disclosures expected on July 14, 2026, and monitor official Microsoft advisories and threat intelligence feeds for updates.
Source articles (10)
- Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops — Theregister · 2026-05-28
The ongoing saga of Microsoft versus Nightmare Eclipse (aka Chaotic Eclipse), the disgruntled bug hunter with a deep understanding of Windows and an even deeper grudge against Microsoft, reached a fev… - Microsoft Threatens Researcher Over Bug Reports, Triggers Cybersecurity Uproar — Uk.Pcmag · 2026-05-28
The cybersecurity community is blasting Microsoft for threatening legal action against a disgruntled researcher who’s been exposing Windows vulnerabilities outside the company’s normal disclosure proc… - Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as ... — Ground.News · 2026-05-29
The ongoing saga of Microsoft versus Nightmare Eclipse (aka Chaotic Eclipse), the disgruntled bug hunter with a deep understanding of Windows and an even deeper grudge against Microsoft, reached a fev… - Six Zero-Days Revealed in Six Weeks: Microsoft Responds with Threat — www.heise.de · 2026-05-29
Nachweise von Sicherheitslücken in Microsoft Windows sind zuletzt mehrfach veröffentlicht worden, ohne dass es dafür ein Sicherheitsupdate gegeben hat. Solche Lücken wurden dann auch ausgenutzt, etwa… - Microsoft's Security Team Published an Article Criticizing Researchers for Prematurely Disclosing Vulnerabilities, but Did Not Address the Conflict with the Researchers. — unsafe.sh · 2026-05-29
#行业资讯 微软威胁情报团队发文抨击研究人员提前公布漏洞,但该团队并未回应与研究人员之间的矛盾。此次博客主要针对的可能是 BitLocker 漏洞披露者 Nightmare Eclipse,这名研究人员准备在 7 月公布更多未修复的漏洞,不过微软在博客结尾强调欢迎研究人员继续负责任的通报漏洞,无论其过往互动或声誉如何都可以继续合作。查看详情: 近期有安全研究人员在微软没有修复漏洞的情况下提前公开漏… - Microsoft Calls the Zero — Securityaffairs.Co · 2026-05-29
A researcher dropped 6 Windows zero-days with no warning. Three are now exploited in the wild. Microsoft is angry. The researcher says Microsoft ignored them first. Over the past month, a researcher g… - Disgruntled 0-Day Hunter Promises 'Bone Shattering Drop' as Redmond Calls Police — Gadgetreview · 2026-05-29
Dead phone batteries during emergencies are dangerous, but six unpatched Windows exploits actively hunting your enterprise network? That’s the kind of chaos money can’t fix. An anonymous researcher ca… - Nightmare Eclipse Zero Days Grudge — blog.barracuda.com · 2026-05-28
- Microsofts Stance On Zero Day Exploits Is A Dumpster Fire Of Their Own Making 0946117940a4 — doublepulsar.com · 2026-05-28
- Microsoft Threatens Researcher Over Bug Reports, Triggers Cybersecurity Uproar — www.pcmag.com · 2026-05-29
Timeline
- 2020-12-09 — CVE-2020-17103 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
- 2026-04-14 — CVE-2026-33825 published: BlueHammer, a critical Windows vulnerability, was disclosed and later added to CISA's KEV list.
- 2026-05-19 — CVE-2026-45585 published: Nightmare Eclipse released proof-of-concept code for YellowKey, a BitLocker bypass vulnerability.
- 2026-05-20 — CVE-2026-41091 published: RedSun, another critical vulnerability, was disclosed and confirmed to be actively exploited.
- 2026-05-20 — CVE-2026-45498 published: UnDefend, a significant Windows flaw, was also disclosed and added to the CISA KEV list.
- 2026-05-28 — Microsoft threatens legal action: Microsoft publicly condemned Nightmare Eclipse's disclosures, threatening legal action for uncoordinated releases.
- 2026-07-14 — Nightmare Eclipse promises additional exploits: The researcher has vowed to release more vulnerabilities, escalating the ongoing conflict with Microsoft.
CVEs
Related entities
- Ransomware (Attack Type)
- Zero-day Exploit (Attack Type)
- Microsoft (Company)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- CWE-269 - Improper Privilege Management (Cwe)
- CWE-287 - Improper Authentication (Cwe)
- BlueHammer (Vulnerability)
- RedSun (Vulnerability)
- UnDefend (Vulnerability)
- GreenPlasma (Vulnerability)
- MiniPlasma (Vulnerability)
- YellowKey (Vulnerability)
- T1068 - Exploitation for Privilege Escalation (Mitre Attack)
- T1486 - Data Encrypted for Impact (Mitre Attack)
- T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
- Windows (Platform)
- SandboxEscaper (Tool)