Back

Microsoft Faces Legal Action Over Uncoordinated Zero-Day Vulnerabilities

Severity: High (Score: 69.8)

Sources: jericho.blog, Infosecurity-Magazine, Gbhackers, Heise.De, Cybersecuritynews

Published: 2026-05-28 · Updated: 2026-05-29

Keywords: microsoft, warns, public, release, zero, issued, strong

Severity indicators: issue

Summary

Microsoft has threatened legal action against the discoverer of multiple zero-day vulnerabilities in Windows, including CVE-2026-33825, CVE-2026-41091, and CVE-2026-45498, which were disclosed without prior notification. These vulnerabilities were exploited before patches were available, increasing risks for users. The Microsoft Security Response Center criticized these uncoordinated disclosures for potentially enabling bad actors to exploit unpatched systems. The company emphasized the importance of Coordinated Vulnerability Disclosures (CVD) to mitigate risks. Microsoft has already deleted the GitHub account of the alleged discoverer, who has released six zero-days in a short period. The situation highlights ongoing tensions between security researchers and software vendors regarding vulnerability disclosure practices. Key Points: • Microsoft threatens legal action against a researcher for uncoordinated zero-day disclosures. • Six zero-day vulnerabilities were disclosed without prior notification, increasing exploitation risks. • Microsoft emphasizes the need for Coordinated Vulnerability Disclosures to protect users.

Detailed Analysis

**Impact** Multiple zero-day vulnerabilities in Microsoft Windows have been publicly disclosed without prior coordination, affecting users globally across enterprise and consumer sectors. Exploitation of these unpatched flaws, including RedSun, UnDefend, and BlueHammer, has already occurred, increasing risk of unauthorized system access and potential data compromise. The uncoordinated disclosures have forced Microsoft security teams to respond urgently, disrupting normal patch development cycles and exposing customers to heightened attack windows. **Technical Details** The exploited vulnerabilities include CVE-2026-33825 (BlueHammer), CVE-2026-41091 (RedSun), CVE-2026-45498 (UnDefend), CVE-2026-45585 (YellowKey), and others linked to CVE-2020-17103 (GreenPlasma and MiniPlasma). Attackers leverage publicly released proof-of-concept exploit code to target Windows Registry and other system components without authorization. The disclosures bypassed Coordinated Vulnerability Disclosure (CVD) protocols, enabling threat actors to exploit zero-days before patches were available. No specific malware or infrastructure details were provided. **Recommended Response** Apply all available Microsoft security updates immediately once released, prioritizing patches for the identified CVEs. Monitor for exploitation attempts using indicators related to registry key manipulation and unusual system behavior consistent with the disclosed vulnerabilities. Harden systems by restricting unauthorized registry modifications and enhance network monitoring for suspicious activity targeting Windows components. Maintain vigilance for further updates from Microsoft and coordinate vulnerability disclosures through established CVD channels.

Source articles (5)

  • Microsoft Warns Against Public Release of Zero — Gbhackers · 2026-05-28
    Microsoft has issued a strong warning to the cybersecurity community following a recent surge in publicly disclosed zero-day vulnerabilities without prior coordination. According to the Microsoft Secu…
  • Microsoft Warns Public Release of Zero — Cybersecuritynews · 2026-05-28
    Microsoft has issued a strong warning after multiple zero-day vulnerabilities were publicly disclosed without prior coordination, raising concerns increased risk to users and enterprise environments.…
  • Microsoft Condemns "Uncoordinated" Zero Day Disclosures — Infosecurity-Magazine · 2026-05-28
    In a new bulletin, Microsoft has criticized security researchers for publicly reporting vulnerabilities in the company’s products before patches were available and without prior notice. These “uncoord…
  • Vulnerability Embargos Are Dead — jericho.blog · 2026-05-28
    When a researcher finds a security vulnerability that impacts more than one vendor, and they wish to coordinate disclosure with both, it creates a situation where an embargo must be put in place. In t…
  • Too many zero-days: Microsoft threatens legal action — Heise.De · 2026-05-29
    Evidence of security vulnerabilities in Microsoft Windows has been published multiple times recently without a security update being available. Such vulnerabilities were then also exploited, for examp…

Timeline

  • 2018-08-06 — CVE-2018-5390 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2020-12-09 — CVE-2020-17103 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-14 — CVE-2026-33825 published: A zero-day vulnerability in Windows was published and later added to CISA KEV due to active exploitation.
  • 2026-05-19 — CVE-2026-45585 published: Another zero-day vulnerability was disclosed, with the first public proof-of-concept released shortly after.
  • 2026-05-20 — CVE-2026-41091 and CVE-2026-45498 published: Two additional zero-day vulnerabilities were published, both added to CISA KEV due to active exploitation.
  • Recent — Microsoft deletes GitHub account of researcher: Microsoft took action against the researcher who disclosed multiple zero-days, deleting their GitHub account.

CVEs

  • CVE-2018-5390
  • CVE-2020-17103
  • CVE-2026-33825
  • CVE-2026-41091
  • CVE-2026-45498
  • CVE-2026-45585

Related entities

  • Zero-day Exploit (Attack Type)
  • Adobe Systems Incorporated (Company)
  • AMD (Company)
  • Apple (Company)
  • Cert/cc (Company)
  • Cisco (Company)
  • Dell (Company)
  • Fortinet (Company)
  • IDefense Labs (Company)
  • Intel (Company)
  • Microsoft (Company)
  • NGS Software (Company)
  • Oracle (Company)
  • Phoenix Technologies (Company)
  • RealNetworks (Company)
  • Zero Day Initiative (Company)
  • Linux kernel (Platform)
  • OpenBSD (Platform)
  • AMD BIOS (Platform)
  • Intel processors (Platform)
  • Linux (Platform)
  • Windows (Platform)
  • CWE-287 - Improper Authentication (Cwe)
  • german.it (Domain)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • BlueHammer (Vulnerability)
  • Copy Fail 2 (Vulnerability)
  • Data Bounce (Vulnerability)
  • Dirty Frag (Vulnerability)
  • GreenPlasma (Vulnerability)
  • Krack (Vulnerability)
  • LogoFAIL (Vulnerability)
  • Meltdown (Vulnerability)
  • MiniPlasma (Vulnerability)
  • RedSun (Vulnerability)
  • SegmentSmack (Vulnerability)
  • Spectre (Vulnerability)
  • UnDefend (Vulnerability)
  • YellowKey (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed