Skip to content
Tech News
← Back to articles

Microsoft 0-day feud escalates as researcher threatens another exploit dump

2026-05-29 | original
read original get Microsoft Security Update Kit → more articles
Why This Matters

The escalating conflict between Microsoft and the bug hunter Nightmare Eclipse highlights the growing risks of uncoordinated vulnerability disclosures, especially when exploits are weaponized and publicly released. This situation underscores the importance of responsible disclosure practices to protect consumers and the integrity of the tech ecosystem. The ongoing release of unpatched zero-days poses significant security threats that demand coordinated industry responses.

Key Takeaways

Six 0-days, three under active exploitation, more to come on July 14?

The ongoing saga of Microsoft versus Nightmare Eclipse (aka Chaotic Eclipse), the disgruntled bug hunter with a deep understanding of Windows and an even deeper grudge against Microsoft, reached a fever pitch, with the researcher, who has thus far released six Windows zero-days, promising a “bone shattering” drop on July 14.

Microsoft, for its part, finally responded to the security researcher and their weaponized Windows flaws with a blog post on (un)coordinated vulnerability disclosure about the now-public bugs: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Redmond says that none of these were reported via its official channels prior to being made public.

Attackers began hammering three of the six - BlueHammer, RedSun, and UnDefend - soon after Nightmare published working proof-of-concept exploit code for each on now-banned GitHub (owned by Microsoft) and GitLab accounts.

REG AD

YellowKey, GreenPlasma, and MiniPlasma still don’t have fixes, and Microsoft has deemed “exploitation more likely” for YellowKey, aka CVE-2026-45585, citing a working POC.

REG AD

“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,” Microsoft wrote in a Wednesday blog, and then seemingly threatened legal action against Nightmare:

“Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”

Microsoft did not respond to The Register’s questions, including whether its legal team planned to sue Nightmare, whether the zero-day researcher is a current or former employee, and whether Microsoft axed Nightmare’s MSRC account, meaning that the bug hunter can’t disclose vulnerabilities to the Windows giant.

... continue reading

Explore topics: microsoft nightmare eclipse windows zero-days github cve-2026-45585
Related:
Fable dodges GTA VI with another delay
On Rendering Diffs
Microsoft under fire for threatening security researcher with criminal investigation
Microsoft Build 2026: What to Expect
Is Microsoft Copilot not working? Here’s what’s going on

© 2026 GoKawiil

About | Editorial Policy | Contact