Microsoft Blasts Uncoordinated Zero-Day Disclosures After Six Flaws Published Without Patches
Microsoft warned that six zero-day vulnerabilities—including RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma—were publicly disclosed without coordinated vulnerability disclosure, exposing users to exploitation before patches were ready.

Microsoft has issued a strong warning after multiple zero-day vulnerabilities were publicly disclosed without prior coordination, raising concerns about increased risk to users and enterprise environments. The company stated that recent disclosures exposed critical security flaws before patches were available, giving threat actors a potential advantage in exploiting unprotected systems.
According to Microsoft, several vulnerabilities, including RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), BlueHammer (CVE-2026-33825), and YellowKey (CVE-2026-45585), as well as GreenPlasma and MiniPlasma, were publicly disclosed without following Coordinated Vulnerability Disclosure (CVD) practices. This industry-standard process requires researchers to privately share findings with vendors, allowing time for investigation, mitigation, and patch development before technical details are made public.
Microsoft emphasized that such coordination plays a critical role in reducing real-world exploitation. By receiving early reports, security teams can deploy fixes and protections across affected services before proof-of-concept (PoC) code becomes accessible to attackers. In contrast, uncoordinated disclosures expose systems to immediate threats, especially when detailed technical information or exploit code is released.
The company noted that its internal teams have been working continuously to assess the impact of these vulnerabilities and develop security updates. However, the lack of prior notification significantly complicates response efforts and increases the window of exposure for customers. Microsoft strongly criticized the practice of releasing zero-day details without vendor coordination, calling it "never justifiable" due to the potential harm to the broader digital ecosystem. The company highlighted that threat actors actively monitor public disclosures for new attack vectors, often weaponizing vulnerabilities before patches are available.
The Microsoft Security Response Center (MSRC) reiterated its long-standing collaboration with the global research community through its CVD program. Each year, Microsoft works with hundreds of researchers to recognize and financially reward responsible disclosures. This partnership is designed to balance transparency with security, ensuring vulnerabilities are addressed before they can be exploited at scale. In addition, Microsoft’s Digital Crimes Unit continues to track and take action against cybercriminal groups that leverage such vulnerabilities.
Despite the recent incidents, Microsoft maintained that it remains open to collaboration and encourages researchers to submit findings through its public vulnerability reporting portal. The company also acknowledged the importance of ongoing dialogue within the security community, including discussions at conferences and research forums, to improve disclosure practices and strengthen collective defenses. The warning highlights a growing tension in the cybersecurity ecosystem between rapid disclosure and responsible coordination, as organizations face increasing pressure to balance transparency with user protection.
In a May 27 bulletin, Microsoft specifically named six vulnerabilities—including 'RedSun' (CVE-2026-41091), 'BlueHammer' (CVE-2026-45498), 'YellowKey' (CVE-2026-45585), 'Undefend' (CVE-2026-45498), 'GreenPlasma,' and 'MiniPlasma'—that were disclosed without coordinated vulnerability disclosure (CVD). The company argued that releasing proof-of-concept code before patches are available 'is never justifiable' and puts customers at risk, while acknowledging its teams have been working around the clock on mitigations. The statement also touched on broader industry pressure to shorten the traditional 90-day CVD embargo, driven by the acceleration of AI-powered vulnerability research.
Microsoft has now publicly singled out the researcher known as Chaotic Eclipse (Nightmare-Eclipse) for disclosing six zero-day vulnerabilities—RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma—without following Coordinated Vulnerability Disclosure (CVD) practices. The company confirmed that the researcher's GitHub account was removed after posting technical details of the flaws, and reiterated its call for researchers to give vendors time to assess and patch vulnerabilities before public disclosure. This latest statement escalates the ongoing dispute between Microsoft and the researcher, whose accounts have also been suspended by GitLab.
The researcher, known as Nightmare Eclipse or Chaotic Eclipse, has now threatened a 'bone shattering' zero-day drop on July 14, escalating the feud after Microsoft's Digital Crimes Unit warned of legal action. Microsoft's blog post condemned the uncoordinated disclosure of six Windows zero-days—RedSun, UnDefend, BlueHammer, YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma—three of which are already exploited in the wild. Security experts, including former Microsoft staff, criticized Redmond's response as escalatory and counterproductive, noting that the patching window between disclosure and weaponization has shrunk to hours.
Microsoft has escalated its response by threatening legal action against the researcher, known as Nightmare Eclipse or Chaotic Eclipse, who publicly disclosed the six zero-days. The company's Digital Crimes Unit stated it will pursue cases against those enabling criminal activity, while the researcher claims Microsoft refused to communicate and deleted their MSRC account. Security experts, including former Microsoft employee Kevin Beaumont, expressed concern over the company's use of legal threats and platform takedowns, noting that GitHub has historically hosted exploits for competitor products without similar action.
Microsoft published its first direct response to the disclosures, calling them 'never justifiable' and warning that its Digital Crimes Unit will continue bringing cases against those who enable cybercrime. The researcher, known as Nightmare Eclipse, has threatened to release further zero-days on July 14—Microsoft’s next Patch Tuesday—stating they will 'make sure your bones are shattered that day.' Industry figures like Katie Moussouris noted that non-disclosure is worse than dropping zero-days, criticizing the vendor's language as a way to label researchers irresponsible.
Microsoft's MSRC issued a follow-up statement on June 1 clarifying it has "no intention to pursue action against individuals conducting or publishing their security research," walking back language from its May 28 blog post that researchers feared threatened legal action against good-faith disclosures. The company drew a sharp line between criminal exploitation and legitimate research, acknowledged past interactions "have fallen short," and pledged renewed transparency and professionalism in coordinated vulnerability disclosure (CVD). The clarification came after widespread backlash from the security community, which warned the initial post could chill responsible disclosure.
Microsoft's June 2026 Patch Tuesday updates have now officially patched the YellowKey, GreenPlasma, and MiniPlasma zero-day vulnerabilities. These vulnerabilities were previously disclosed by the researcher 'Nightmare Eclipse' in protest of Microsoft's disclosure practices, with YellowKey affecting Windows Recovery Environment and GreenPlasma/MiniPlasma impacting the Collaborative Translation Framework and Cloud Files Mini Filter Driver, respectively.