Microsoft patched a high-severity zero-day vulnerability on Tuesday, one of several publicly disclosed by a pseudonymous researcher called Nightmare Eclipse who has been in an escalating dispute with the software giant. A separate zero-day also appears to have been addressed in the same update cycle.

Nightmare Eclipse began publicly disclosing vulnerabilities in early April 2026, releasing proof-of-concept exploit code for flaws the researcher says Microsoft failed to properly address after an earlier arrangement between the two parties broke down.

The six disclosed vulnerabilities carry colorful codenames: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma. Each targets core Windows components.

BlueHammer, formally tracked as CVE-2026-33825, is a local privilege escalation vulnerability in Windows Defender. If an attacker already has basic access to your machine, this bug lets them promote themselves to administrator-level control. Microsoft patched BlueHammer during its April 2026 Patch Tuesday update cycle, with additional flaws addressed in subsequent releases.

At least three of the exploits, BlueHammer, RedSun, and UnDefend, were observed being used in real-world cyber intrusions by mid-April 2026.

The researcher claims the disclosures came after Microsoft reneged on an arrangement the two had made regarding vulnerabilities they had previously discussed. Nightmare Eclipse’s real identity remains unknown, though speculation about a possible former Microsoft affiliation has circulated in security circles, given the depth of knowledge demonstrated in the exploits.

Microsoft’s response went beyond just patching code. The company banned Nightmare Eclipse from GitHub in late May 2026, with GitLab following shortly after. Microsoft publicly advocated for coordinated vulnerability disclosure and referenced potential legal steps against the researcher, though the specifics remain unclear.

The UnDefend vulnerability targets Windows Defender, the default security layer for hundreds of millions of machines. If an attacker can disable or bypass Defender, they can deploy malware without triggering alerts. The broader set of flaws affecting BitLocker encryption could compromise the layer that protects locally stored wallets and private key files.

The vulnerabilities were actively exploited in intrusions by mid-April, but several remained unpatched through late May — a multi-week window where Windows users were exposed to known, weaponized exploits with no available fix.

Investors and traders who rely on Windows machines for portfolio management should verify they’ve installed all available patches from both the April and May 2026 update cycles.