Microsoft Zero-Day Feud Escalates: Researcher Threatens July 14 Dump

Key Takeaways

• Six Windows zero-days released by Nightmare Eclipse since April, with three confirmed in active exploitation
• Microsoft has involved law enforcement and threatened legal action against the researcher
• July 14 Patch Tuesday could bring additional exploit releases, prompting organizations to prepare emergency responses

The standoff between Microsoft and an anonymous security researcher has turned into one of the most dramatic conflicts the infosec community has seen in years. The researcher, known as Nightmare Eclipse or Chaotic Eclipse, has released six Windows zero-day vulnerabilities since April 2026. Three are already being exploited in the wild. And the researcher says more are coming on July 14.

Microsoft responded Wednesday with a blog post on what it called "uncoordinated vulnerability disclosure." The company confirmed the bugs are real: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. None were reported through official channels before going public, Microsoft said.

The company also made its stance clear. It has contacted law enforcement and hinted at legal action against the researcher.

Six Vulnerabilities, Three Under Active Attack

Attackers moved quickly after Nightmare Eclipse published working proof-of-concept exploit code. BlueHammer, RedSun, and UnDefend are now being used in active attacks, according to Microsoft and CISA. The code was posted to GitHub and GitLab accounts that have since been banned. GitHub, notably, is owned by Microsoft.

Three vulnerabilities remain unpatched: YellowKey, GreenPlasma, and MiniPlasma. Microsoft has flagged YellowKey (CVE-2026-45585) as "exploitation more likely" because a working proof-of-concept exists. The YellowKey exploit targets BitLocker and can bypass encryption in about 60 seconds on modern Windows systems.

The Breakdown in Relations

How did this happen? The researcher claims Microsoft terminated their MSRC (Microsoft Security Response Center) account, cutting off their ability to report vulnerabilities through proper channels. In their latest post, Nightmare Eclipse painted a picture of being ignored and insulted.

“When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people. You defame me.”

— Nightmare Eclipse, security researcher

Microsoft declined to answer The Register's questions about whether the researcher is a current or former employee, whether it plans to sue, or whether it terminated the researcher's MSRC account.

The company's blog post did not mince words about its view of the situation: "Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences."

Security Community Divided

Reactions in the security community are split. Some defend the researcher's right to demonstrate flaws when they feel bug bounty programs have failed them. Others call the approach reckless and harmful.

“The relationship between Microsoft and the security research community is at a breaking point, and unfortunately, it's the enterprise customers who are caught in the crossfire.”

— Sarah Jenkins, Lead Cybersecurity Analyst at Infosec Dynamics

Former MSRC Program Manager David Chen criticized Microsoft's legal posture: "Legal threats against researchers who are providing proof-of-concept exploits for valid, albeit ignored, bugs is counterproductive to the entire ecosystem's safety."

On Hacker News, discussions are polarized. Many sysadmins expressed concern about July 14, the date Nightmare Eclipse chose for the next release. It falls on Patch Tuesday, Microsoft's monthly security update cycle. Some organizations are already planning "all-hands-on-deck" responses.

What Organizations Should Do Now

With three exploits already in active use and three more without patches, security teams face an unpleasant few weeks. The YellowKey BitLocker bypass is particularly concerning for organizations relying on disk encryption for endpoint security.

• Monitor CISA advisories for updates on the six named vulnerabilities
• Prepare incident response plans for July 14 Patch Tuesday
• Review BitLocker configurations and consider additional endpoint protections
• Track Microsoft's security blog for patch releases on YellowKey, GreenPlasma, and MiniPlasma

The July 14 date is deliberate. By releasing on Patch Tuesday, Nightmare Eclipse maximizes the window between disclosure and fix. Even if Microsoft scrambles to include patches in that month's update, organizations will need to test and deploy them while attackers race to weaponize any new exploits.

A Larger Pattern

This conflict arrives during what some researchers have called a "vulnpocalypse." AI-powered bug hunting tools are uncovering vulnerabilities faster than vendors can patch them. Microsoft's Patch Tuesday releases have grown substantially in recent months as the company tries to keep pace.

The company recently promised more bug payouts through its bounty program, but that may not matter to researchers who feel locked out of official channels. If Nightmare Eclipse's claims about their MSRC account are accurate, the company's gatekeeping may have backfired.

Frequently Asked Questions

What are the six Microsoft zero-days released by Nightmare Eclipse?

RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Three (BlueHammer, RedSun, UnDefend) have patches. Three (YellowKey, GreenPlasma, MiniPlasma) remain unpatched.

Are these Windows vulnerabilities being actively exploited?

Yes. CISA confirms three of the six exploits are being used in active ransomware campaigns. BlueHammer, RedSun, and UnDefend are under active exploitation.

What happens on July 14, 2026?

Nightmare Eclipse has threatened a "bone shattering" exploit release on that date, which coincides with Microsoft's July Patch Tuesday.

Can Microsoft stop the researcher legally?

Microsoft has involved law enforcement and hinted at legal action, but has not confirmed specific plans. The researcher's identity and location are unknown.

How can organizations protect against these zero-days?

Apply available patches immediately for BlueHammer, RedSun, and UnDefend. For unpatched vulnerabilities, monitor CISA advisories and prepare incident response plans for July 14.

Source: Hacker News: Best