Microsoft Zero-Day Feud Escalates: Researcher Threatens July 14 Dump
Key Takeaways
- Six Windows zero-days released by Nightmare Eclipse since April, with three confirmed in active exploitation
- Microsoft has involved law enforcement and threatened legal action against the researcher
- July 14 Patch Tuesday could bring additional exploit releases, prompting organizations to prepare emergency responses
The standoff between Microsoft and an anonymous security researcher has turned into one of the most dramatic conflicts the infosec community has seen in years. The researcher, known as Nightmare Eclipse or Chaotic Eclipse, has released six Windows zero-day vulnerabilities since April 2026. Three are already being exploited in the wild. And the researcher says more are coming on July 14.
Microsoft responded Wednesday with a blog post on what it called "uncoordinated vulnerability disclosure." The company confirmed the bugs are real: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. None were reported through official channels before going public, Microsoft said.
The company also made its stance clear. It has contacted law enforcement and hinted at legal action against the researcher.
Six Vulnerabilities, Three Under Active Attack
Attackers moved quickly after Nightmare Eclipse published working proof-of-concept exploit code. BlueHammer, RedSun, and UnDefend are now being used in active attacks, according to Microsoft and CISA. The code was posted to GitHub and GitLab accounts that have since been banned. GitHub, notably, is owned by Microsoft.
Three vulnerabilities remain unpatched: YellowKey, GreenPlasma, and MiniPlasma. Microsoft has flagged YellowKey (CVE-2026-45585) as "exploitation more likely" because a working proof-of-concept exists. The YellowKey exploit targets BitLocker and can bypass encryption in about 60 seconds on modern Windows systems.
The Breakdown in Relations
How did this happen? The researcher claims Microsoft terminated their MSRC (Microsoft Security Response Center) account, cutting off their ability to report vulnerabilities through proper channels. In their latest post, Nightmare Eclipse painted a picture of being ignored and insulted.
“When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people. You defame me.”
— Nightmare Eclipse, security researcher
Microsoft declined to answer The Register's questions about whether the researcher is a current or former employee, whether it plans to sue, or whether it terminated the researcher's MSRC account.
The company's blog post did not mince words about its view of the situation: "Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences."
Security Community Divided
Reactions in the security community are split. Some defend the researcher's right to demonstrate flaws when they feel bug bounty programs have failed them. Others call the approach reckless and harmful.
“The relationship between Microsoft and the security research community is at a breaking point, and unfortunately, it's the enterprise customers who are caught in the crossfire.”
— Sarah Jenkins, Lead Cybersecurity Analyst at Infosec Dynamics
Former MSRC Program Manager David Chen criticized Microsoft's legal posture: "Legal threats against researchers who are providing proof-of-concept exploits for valid, albeit ignored, bugs is counterproductive to the entire ecosystem's safety."
Industry discussion on the Microsoft-researcher conflict
On Hacker News, discussions are polarized. Many sysadmins expressed concern about July 14, the date Nightmare Eclipse chose for the next release. It falls on Patch Tuesday, Microsoft's monthly security update cycle. Some organizations are already planning "all-hands-on-deck" responses.
What Organizations Should Do Now
With three exploits already in active use and three more without patches, security teams face an unpleasant few weeks. The YellowKey BitLocker bypass is particularly concerning for organizations relying on disk encryption for endpoint security.
- Monitor CISA advisories for updates on the six named vulnerabilities
- Prepare incident response plans for July 14 Patch Tuesday
- Review BitLocker configurations and consider additional endpoint protections
- Track Microsoft's security blog for patch releases on YellowKey, GreenPlasma, and MiniPlasma
The July 14 date is deliberate. By releasing on Patch Tuesday, Nightmare Eclipse maximizes the window between disclosure and fix. Even if Microsoft scrambles to include patches in that month's update, organizations will need to test and deploy them while attackers race to weaponize any new exploits.
A Larger Pattern
This conflict arrives during what some researchers have called a "vulnpocalypse." AI-powered bug hunting tools are uncovering vulnerabilities faster than vendors can patch them. Microsoft's Patch Tuesday releases have grown substantially in recent months as the company tries to keep pace.
The company recently promised more bug payouts through its bounty program, but that may not matter to researchers who feel locked out of official channels. If Nightmare Eclipse's claims about their MSRC account are accurate, the company's gatekeeping may have backfired.
Logicity's Take
Frequently Asked Questions
What are the six Microsoft zero-days released by Nightmare Eclipse?
RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Three (BlueHammer, RedSun, UnDefend) have patches. Three (YellowKey, GreenPlasma, MiniPlasma) remain unpatched.
Are these Windows vulnerabilities being actively exploited?
Yes. CISA confirms three of the six exploits are being used in active ransomware campaigns. BlueHammer, RedSun, and UnDefend are under active exploitation.
What happens on July 14, 2026?
Nightmare Eclipse has threatened a "bone shattering" exploit release on that date, which coincides with Microsoft's July Patch Tuesday.
Can Microsoft stop the researcher legally?
Microsoft has involved law enforcement and hinted at legal action, but has not confirmed specific plans. The researcher's identity and location are unknown.
How can organizations protect against these zero-days?
Apply available patches immediately for BlueHammer, RedSun, and UnDefend. For unpatched vulnerabilities, monitor CISA advisories and prepare incident response plans for July 14.
Related security threat affecting enterprise systems
Need Help Implementing This?
Source: Hacker News: Best
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
Also Read
GitHub Copilot Moves to Token Billing: Users Report 25x Cost Spikes
GitHub is replacing Copilot's flat subscription with a token-based 'AI Credits' system starting June 1. Some developers report projected monthly costs jumping from $29 to $750, or $50 to $3,000. The change has sparked fierce debate about whether heavy users are coding inefficiently or Microsoft is simply ending an unsustainable subsidy.
Microsoft Threatens Legal Action Over Zero-Day Disclosures
Microsoft is pursuing criminal action against a security researcher who publicly posted proof-of-concept exploit code. The company disabled the researcher's accounts, but critics say Microsoft has previously employed people who did the exact same thing.
Samsung Frame vs Hisense CanvasTV: 40% Off Art TVs on Woot
Woot is discounting both Samsung's 2025 Frame TV and Hisense's 2025 CanvasTV by up to 40% through June 26th. The sale pits Samsung's brighter display against Hisense's included bezels and free art library, making this the best time to decide which art TV philosophy fits your living room.