Nexo Earn with Nexo
Microsoft threatens legal action against researcher Nightmare Eclipse for exploit disclosure

Microsoft threatens legal action against researcher Nightmare Eclipse for exploit disclosure

The tech giant is weighing criminal charges against a security researcher who dumped six Windows zero-day exploits in six weeks, three of which were exploited in real-world attacks.

Share

Add us on Google
by Editorial Team

Microsoft’s Digital Crimes Unit is considering criminal action against a security researcher who has been publicly releasing proof-of-concept exploit code for unpatched Windows vulnerabilities. The researcher, operating under the name Nightmare Eclipse, has dropped six zero-day exploits between early April and mid-May 2026, targeting core Windows components including Windows Defender and BitLocker.

Three of those exploits were confirmed as being used in real-world attacks shortly after going public. Microsoft issued emergency patches and CISA added the vulnerabilities to its Known Exploited Vulnerabilities catalog.

Six exploits, six weeks, and a very public grudge

The vulnerabilities carry names that read like a cyberpunk novel: BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma. Several enable local privilege escalation to SYSTEM level. Others facilitate bypassing BitLocker, Microsoft’s full-disk encryption tool.

Advertisement

Nightmare Eclipse posted the exploit code on GitHub and GitLab, bypassing the standard coordinated vulnerability disclosure process. Some of their posts suggest they are a disgruntled former Microsoft employee. Their stated motivations include mistreatment by Microsoft’s Security Response Center, denied bug bounties, and deleted accounts.

On May 28, 2026, Microsoft published a statement on its MSRC blog emphasizing the importance of coordinated vulnerability disclosure. The company condemned what it called uncoordinated releases that endanger customers and signaled that its Digital Crimes Unit could pursue criminal charges against those responsible.

Microsoft also moved to cut off the researcher’s access. Nightmare Eclipse’s GitHub account was disabled around May 23, followed by their GitLab account between May 26 and 27. Their Microsoft Security Response Center account was also shut down.

The security community pushes back

Kevin Beaumont, a well-known cybersecurity researcher and former Microsoft employee, flagged Microsoft’s response as problematic. His concern centers on the idea that criminalizing non-coordinated disclosures is counterproductive. It doesn’t make the vulnerabilities disappear, and it risks chilling legitimate security research.

Nightmare Eclipse has threatened another significant disclosure scheduled for July 14, 2026. If that materializes, organizations running unpatched Windows systems face another round of exposure.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
REGULATION

Microsoft threatens legal action against researcher Nightmare Eclipse for exploit disclosure

Microsoft threatens legal action against researcher Nightmare Eclipse for exploit disclosure

The tech giant is weighing criminal charges against a security researcher who dumped six Windows zero-day exploits in six weeks, three of which were exploited in real-world attacks.

by Editorial Team

Share

Add us on Google

Microsoft’s Digital Crimes Unit is considering criminal action against a security researcher who has been publicly releasing proof-of-concept exploit code for unpatched Windows vulnerabilities. The researcher, operating under the name Nightmare Eclipse, has dropped six zero-day exploits between early April and mid-May 2026, targeting core Windows components including Windows Defender and BitLocker.

Three of those exploits were confirmed as being used in real-world attacks shortly after going public. Microsoft issued emergency patches and CISA added the vulnerabilities to its Known Exploited Vulnerabilities catalog.

Six exploits, six weeks, and a very public grudge

The vulnerabilities carry names that read like a cyberpunk novel: BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma. Several enable local privilege escalation to SYSTEM level. Others facilitate bypassing BitLocker, Microsoft’s full-disk encryption tool.

Advertisement

Nightmare Eclipse posted the exploit code on GitHub and GitLab, bypassing the standard coordinated vulnerability disclosure process. Some of their posts suggest they are a disgruntled former Microsoft employee. Their stated motivations include mistreatment by Microsoft’s Security Response Center, denied bug bounties, and deleted accounts.

On May 28, 2026, Microsoft published a statement on its MSRC blog emphasizing the importance of coordinated vulnerability disclosure. The company condemned what it called uncoordinated releases that endanger customers and signaled that its Digital Crimes Unit could pursue criminal charges against those responsible.

Microsoft also moved to cut off the researcher’s access. Nightmare Eclipse’s GitHub account was disabled around May 23, followed by their GitLab account between May 26 and 27. Their Microsoft Security Response Center account was also shut down.

The security community pushes back

Kevin Beaumont, a well-known cybersecurity researcher and former Microsoft employee, flagged Microsoft’s response as problematic. His concern centers on the idea that criminalizing non-coordinated disclosures is counterproductive. It doesn’t make the vulnerabilities disappear, and it risks chilling legitimate security research.

Nightmare Eclipse has threatened another significant disclosure scheduled for July 14, 2026. If that materializes, organizations running unpatched Windows systems face another round of exposure.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.