Microsoft has publicly reaffirmed its support for Coordinated Vulnerability Disclosure (CVD) after a security researcher released details of several unpatched zero-day vulnerabilities impacting key Windows components, including Microsoft Defender and BitLocker.
The controversy centers around a researcher known as Chaotic Eclipse, also referred to online as Nightmare-Eclipse, who disclosed multiple vulnerabilities over the past month. The researcher claimed the move was prompted by frustrations with Microsoft’s vulnerability reporting and communication process.
Microsoft Warns of “Unnecessary Risk”
In an official statement, Microsoft criticized the public release of exploit details without prior coordination.
“In recent weeks, several zero-day vulnerabilities have been publicly disclosed. The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk,” the company stated.
Microsoft added that its internal security teams have been working continuously to analyze the threats, mitigate customer exposure, and prepare security updates.
The company emphasized that publishing proof-of-concept (PoC) code for unpatched flaws can have serious consequences, especially when cybercriminals gain access to the information before patches are available.
Zero-Day Vulnerabilities Under Active Exploitation
The vulnerabilities disclosed by the researcher include:
- BlueHammer (CVE-2026-33825)
- RedSun (CVE-2026-41091)
- UnDefend (CVE-2026-45498)
- YellowKey (CVE-2026-45585)
- GreenPlasma
- MiniPlasma
According to Microsoft, at least three of the vulnerabilities — BlueHammer, RedSun, and UnDefend — are already being actively exploited in real-world attacks.
The flaws reportedly affect critical Windows security mechanisms and could potentially allow attackers to bypass protections or gain elevated access on vulnerable systems.
Microsoft Reiterates Support for Responsible Disclosure
Microsoft stated that it “firmly” opposes uncoordinated disclosures and reiterated its commitment to working with the global security research community through responsible disclosure practices.
The company noted that collaboration with researchers remains a core part of its security strategy, highlighting engagement through conferences, researcher appreciation programs, and direct vulnerability coordination efforts.
“We invite diverse perspectives that help the security community work together to protect everyone,” Microsoft said.
GitHub and GitLab Accounts Removed
The situation escalated further after GitHub reportedly suspended the researcher’s account, leading to the removal of exploit code related to the vulnerabilities.
The researcher later uploaded the material to GitLab, but the newly created account was also reportedly blocked shortly afterward.
In a public post over the weekend, the researcher accused Microsoft of refusing communication and publicly discrediting their work.
“You refused, humiliated me, and made sure to insult me in front of people,” the researcher wrote.
The individual also alleged that Microsoft removed the account previously used to report vulnerabilities and claimed they received no financial compensation for their disclosures.
Researcher Hints at Future Release
Adding to the tension, the researcher hinted at releasing additional material on July 14, 2026, describing it as something that would “shatter” Microsoft.
The statement has raised concerns within the cybersecurity community about the possibility of further exploit releases or additional unpatched vulnerabilities becoming public.
Growing Debate Around Vulnerability Disclosure
The incident has reignited debates around responsible disclosure practices, researcher compensation, and the balance between transparency and user safety.
While security researchers often argue that public disclosures pressure vendors into faster action, software companies maintain that coordinated disclosure gives them critical time to develop patches and protect users before threat actors can weaponize vulnerabilities.
As the conflict between Microsoft and the researcher continues, organizations are being urged to monitor security advisories closely and apply updates as soon as patches become available.
