There is a messy fight happening right now between Microsoft and a security researcher, and it has turned into one of those stories where the technical side and the human side are completely tangled together.
On the surface, this is about Windows zero-days, Microsoft Defender bugs, BitLocker, public exploit code, and responsible disclosure. Underneath that, it is about something almost everyone who has spent enough time in cybersecurity already knows: reporting bugs to big companies can be frustrating, slow, and sometimes unfair.
And yes, anyone who has been around long enough has seen this happen. A researcher reports a bug, the company ignores it, says it is not valid, stops replying, or gives no bounty, then months later the issue quietly gets fixed in the background. That does not automatically make public exploit drops okay. But it does explain why people get angry.
What Happened
A researcher using names like Nightmare-Eclipse, Chaotic Eclipse, Dead Eclipse, and Eclipse publicly released exploit code for several Microsoft-related vulnerabilities during April and May 2026.
The main vulnerability names circulating are BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma. The first three are tied to Microsoft Defender. YellowKey is tied to BitLocker and Windows 11. GreenPlasma and MiniPlasma were also named by Microsoft, but public technical details are thinner.
Microsoft responded through the Microsoft Security Response Center, saying the vulnerability details were not shared with Microsoft before release and that the public exploit drops put customers at unnecessary risk. Microsoft specifically called out all six disclosures as examples of what it considered irresponsible behavior.
The CVEs Involved
| Name | CVE | Product / Area | What It Is |
|---|---|---|---|
| BlueHammer | CVE-2026-33825 | Microsoft Defender | Local privilege escalation. NVD lists it as high severity and it was added to CISA's Known Exploited Vulnerabilities catalog. |
| RedSun | CVE-2026-41091 | Microsoft Defender / Malware Protection Engine | Local privilege escalation. Successful exploitation can lead to SYSTEM privileges. |
| UnDefend | CVE-2026-45498 | Microsoft Defender | Denial-of-service style issue that can interfere with Defender working properly. |
| YellowKey | CVE-2026-45585 | BitLocker / Windows 11 | BitLocker-related issue. Public PoC availability made exploitation more concerning. |
| GreenPlasma | Not clearly confirmed | Windows-related | Named by Microsoft, limited public technical detail. |
| MiniPlasma | Not clearly confirmed | Windows-related | Named by Microsoft, limited public technical detail. |
The Defender bugs are especially serious because Defender is installed by default on Windows, runs with high privileges, and is deeply trusted by the operating system. A local privilege escalation in Defender is not some obscure edge case. If an attacker already has a basic foothold on a machine, bugs like this can help them go deeper.
Why This Became Drama
This became a story because both sides are saying very different things.
Microsoft's position is straightforward: do not publicly drop working exploit code before a vendor has time to fix the issue. That is the standard responsible disclosure argument, and Microsoft is not wrong about the risk. Public exploit code can and does get picked up by attackers.
Huntress reported seeing tooling related to BlueHammer, RedSun, and UnDefend during a real-world intrusion investigation. That does not mean every exploit succeeded, but it does show that this was not just theoretical internet noise. These bugs were being tested in live environments.
But the researcher's side is also part of the story. The researcher reportedly claimed that Microsoft mishandled reports, failed to communicate properly, declined to pay bounties, and took action against their accounts. Some of those claims are still allegations and not every detail has been independently verified. But the frustration behind them is recognizable to anyone who has spent time doing vulnerability research.
The Part Nobody Likes to Say Out Loud
A lot of companies handle vulnerability reports badly.
Some ignore reports entirely. Some silently patch bugs without giving credit. Some close reports as "informational" or "not applicable," then fix the same issue later. Some make researchers wait months with no useful update. Some only take a report seriously after it becomes public.
People who do bug bounty or vulnerability research long enough usually have at least one story like that.
That does not mean researchers should publish weaponized exploit code out of frustration. Once code is public, defenders lose control of the timeline. Attackers can copy it, test it, and modify it. The people who get hurt are often not the vendor's executives — they are admins, users, hospitals, schools, small businesses, and regular companies trying to stay patched.
But vendors also need to stop acting like "responsible disclosure" is only the researcher's responsibility. If a company wants researchers to act responsibly, the company has to act responsibly too. That means clear communication, fair triage, honest bounty decisions, credit when credit is due, and not quietly fixing bugs while pretending the original report was invalid.
Microsoft's Response Made Things Worse
Microsoft's MSRC post was meant to defend coordinated disclosure, but it also referenced Microsoft's Digital Crimes Unit and law enforcement coordination. That part landed badly.
To many researchers, it sounded less like "please coordinate with us" and more like "publish bugs and we may treat you like a criminal."
That is a dangerous message. Security research already operates in an uncomfortable space where the same technical knowledge applies to both defense and offense. If vendors start sounding like they will criminalize researchers for being difficult, angry, or inconvenient, researchers may stop reporting to them at all. That outcome would be bad for everyone.
The Practical Security Issue
Separate from the drama, defenders should take this seriously.
CISA added several of these issues to its Known Exploited Vulnerabilities catalog, including CVE-2026-33825, CVE-2026-41091, and CVE-2026-45498. That is the signal that matters. These are not theoretical bugs sitting in a lab. They are significant enough that defenders need to verify patch status, confirm Defender updates are current, and look for signs of related activity in their environments.
For Windows environments, the standard advice still applies:
- Ensure Windows is fully updated
- Confirm Microsoft Defender platform and engine updates are current
- Review suspicious binaries dropped in user-writable locations
- Check VPN access logs around compromised or suspicious accounts
- Treat any signs of BlueHammer, RedSun, or UnDefend tooling as a serious indicator
So Who Is Right?
This is not a story where one side is completely clean.
Microsoft is right that public exploit drops can put users at risk.
The researcher may also be right that Microsoft's reporting and bounty process failed badly. The broader complaint is credible because many researchers have experienced similar behavior from vendors.
The problem is that both things can be true at the same time. A company can mishandle a report. A researcher can react in a way that puts users in danger. And in the end, defenders are the ones left cleaning up the mess.
Bottom Line
This story is part vulnerability disclosure debate, part public feud, and part real security risk.
The drama is Microsoft versus Nightmare-Eclipse. The security issue is public exploit code for Defender and Windows-related vulnerabilities that are already showing up in real intrusions. The bigger lesson is that coordinated disclosure only works when both sides actually coordinate.
Researchers should not drop dangerous exploit code just to make a point. Vendors should not ignore researchers, quietly patch bugs, deny credit, or hide behind "responsible disclosure" only when it benefits them.
Trust is the whole system. Once that trust breaks, everyone pays for it.
Sources: - The Hacker News — Microsoft Slams Public Zero-Day Disclosures - Huntress — Nightmare Eclipse Intrusion