Microsoft Threatens Criminal Probe as Zero-Day Researcher Exposes Unpatched Windows Flaws

5

Six Zero-Days, Three Already Exploited

Microsoft’s blog post on May 29 named six vulnerabilities disclosed by Nightmare Eclipse—RedSun, BlueHammer, UnDefend, YellowKey, GreenPlasma, and MiniPlasma—affecting core Windows components like Defender and BitLocker. Three of these—BlueHammer, RedSun, and UnDefend—were quickly weaponized by attackers, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirming active exploitation. Microsoft’s statement called the disclosures “uncoordinated” and warned that such actions “put our customers at unnecessary risk,” while also noting that YellowKey (CVE-2026-45585) remains unpatched and is deemed “more likely to be exploited.” The vulnerabilities were published on GitHub and GitLab—both platforms owned by Microsoft—alongside proof-of-concept exploit code. Nightmare Eclipse’s accounts on these platforms have since been banned, according to The Register. The researcher claims Microsoft revoked their access to the Microsoft Security Response Center (MSRC), the official channel for reporting bugs, after ignoring their initial reports.

The timing of these disclosures is critical: Microsoft’s internal security teams have been working “around the clock” to patch the flaws, but the damage is already done. BlueHammer and RedSun, both privilege-escalation flaws in Microsoft Defender, carry a CVSS score of 7.8, meaning they could allow attackers to gain system-level control. YellowKey, a security feature bypass in BitLocker, has a CVSS score of 6.8 but is now flagged as “exploitation more likely” due to the availability of working exploit code. The remaining three vulnerabilities—GreenPlasma and MiniPlasma (both privilege escalations) and UnDefend (a denial-of-service flaw)—remain unpatched as of May 29.

Microsoft’s Legal Threat and the Researcher’s Counterattack

Microsoft’s response goes beyond technical criticism. In its blog post, the company’s Digital Crimes Unit explicitly threatened legal action, stating: “Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity—coordinating as needed with law enforcement around the world.” The unit’s approach includes civil legal actions, technical countermeasures, criminal referrals, and public-private partnerships, according to its publicly stated mission. This is not the first time Microsoft has taken aggressive legal steps against researchers; in 2024, the company sued a security firm over alleged misuse of its bug bounty program. Nightmare Eclipse, however, frames the conflict as a personal and professional betrayal. In a public blog post, they accused Microsoft of deleting their MSRC account—used to report bugs—and refusing to communicate. The researcher’s exact words: “When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people. You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.” They also warned of a forthcoming “bone shattering” exploit dump scheduled for July 14, 2026, suggesting Microsoft still holds leverage over them: “Microsoft still has chains in my hands.”

The Broken Trust: Why This Feud Matters

At its core, this dispute is about coordinated vulnerability disclosure (CVD), the industry-standard process where researchers notify vendors privately, allowing time to patch flaws before public disclosure. Microsoft reiterates its commitment to this model, noting it works with “hundreds of security researchers” annually through bug bounties and public recognition. The company argues that Nightmare Eclipse’s actions bypassed this safeguard, exposing customers to immediate risk. Yet Nightmare Eclipse’s claims—of ignored reports, deleted accounts, and public humiliation—suggest a deeper breakdown in trust. The researcher’s decision to go public may have been driven by frustration, but the consequences are now severe: three vulnerabilities are actively exploited, and Microsoft’s legal threats could set a dangerous precedent for how tech giants handle dissenting researchers. As Security Affairs notes, this is not just about one researcher—it’s about the broader ecosystem of bug hunters who rely on good-faith reporting to earn bounties and recognition.

The stakes are higher than ever. Microsoft’s Digital Crimes Unit has made clear it will pursue legal action, not just against Nightmare Eclipse but against anyone who “enables” such disclosures—a broad statement that could chill future research. Meanwhile, the researcher’s threats of further disclosures on July 14 add urgency to the situation. If Microsoft’s patches for the existing flaws are delayed, or if more vulnerabilities are leaked, the fallout could extend beyond individual users to critical infrastructure relying on Windows systems.

What Happens Next: Legal, Technical, and Ethical Crossroads

The next 30 days will be pivotal. Microsoft’s legal team must decide whether to file formal charges, which could set a precedent for how companies handle rogue researchers. Nightmare Eclipse’s July 14 deadline looms, raising questions: Will they release more exploits? Will Microsoft’s patches arrive in time? And what happens if the researcher’s claims of retaliation—deleted accounts, ignored reports—are proven true? Technically, Microsoft’s security teams are racing to patch the remaining flaws, particularly YellowKey, which remains unpatched and is now flagged as high-risk. The company’s public stance is clear: uncoordinated disclosures are unacceptable, and they will defend their customers at all costs. But the ethical dilemma remains: Is Nightmare Eclipse a reckless actor, or a whistleblower pushed too far?

For the broader cybersecurity community, this feud highlights a growing tension. On one side, companies like Microsoft argue that private disclosure protects users. On the other, researchers like Nightmare Eclipse contend that when trust is broken, public disclosure becomes the only recourse. The outcome of this conflict could reshape how vulnerabilities are reported—and who gets to decide when a flaw becomes public knowledge.

One thing is certain: the digital ecosystem is now more vulnerable. With three of the six disclosed flaws already exploited, attackers have a window to target systems before patches arrive. Microsoft’s legal threats may deter future researchers from reporting bugs, while Nightmare Eclipse’s actions have already caused real-world harm. The question is no longer just about who is right or wrong—but how to prevent this from happening again.