Microsoft faces backlash after threatening a researcher over BlueHammer, RedSun, UnDefend, & YellowKey zero-day disclosures affecting Defender and BitLocker.

Continue reading
Microsoft is experiencing mounting criticism after warning that its Digital Crimes Unit (DCU) could pursue legal action and criminal referrals following the public disclosure of multiple Windows zero-day vulnerabilities by independent researcher Nightmare Eclipse, also known as Chaotic Eclipse.
The dispute centers on several publicly released vulnerabilities affecting Microsoft Defender, BitLocker, Windows Cloud Filter, and CTFMon components, including CVE-2026-33825, CVE-2026-41091, CVE-2026-45498, and CVE-2026-45585.
The controversy escalated on May 29 after reporting revealed Microsoft had referenced potential law-enforcement involvement while condemning the publication of exploit code associated with BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma.
Microsoft stated that the vulnerabilities were disclosed without prior coordination and exposed customers to unnecessary risk. The researcher, meanwhile, alleges Microsoft ignored communications, removed reporting access, deleted accounts, and failed to properly handle submitted findings.
The current dispute began after a series of public exploit releases targeting core Windows security mechanisms.
Microsoft's May 2026 MSRC statement directly identified BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma as vulnerabilities that were "not responsibly disclosed" under Coordinated Vulnerability Disclosure (CVD) practices.
The company stated that security teams were forced to investigate, assess exploitation risk, develop mitigations, and prepare updates under compressed timelines because proof-of-concept material had already entered the public domain.
Microsoft also warned that actors enabling criminal activity could become subjects of Digital Crimes Unit action and law-enforcement coordination, according to Microsoft's MSRC disclosure statement.
The language immediately triggered backlash across vulnerability research communities, where several researchers argued that Microsoft's wording blurred the distinction between malicious exploitation and public-interest security research, as noted in industry reaction coverage.
The dispute revolves around four Microsoft-tracked vulnerabilities.
BlueHammer is tracked as CVE-2026-33825 and affects Microsoft Defender.
Microsoft classified the issue as an elevation-of-privilege vulnerability resulting from insufficient granularity of access controls. Successful exploitation can allow a local attacker with existing access to obtain SYSTEM-level privileges. Public exploit code was released before patching.
CISA later added the flaw to its Known Exploited Vulnerabilities catalog after evidence of active exploitation emerged, according to BlueHammer technical analysis.
RedSun is another Microsoft Defender privilege-escalation vulnerability.
Public research indicated the flaw could provide SYSTEM-level execution on supported Windows systems running Defender. Microsoft included RedSun among the vulnerabilities it said were disclosed without coordination.
Reports indicate exploitation activity was observed after proof-of-concept publication, according to Microsoft's disclosure statement.
UnDefend targets Defender protection mechanisms rather than privilege boundaries.
According to published research, the technique allows standard users to interfere with Defender functionality and block security-definition updates.
Microsoft identified UnDefend as one of the disclosures that created customer risk because exploit details became publicly available before security updates were broadly deployed, as described in Microsoft's disclosure statement.
YellowKey impacts BitLocker protections.
Microsoft acknowledged the issue under CVE-2026-45585 after researchers published proof-of-concept material demonstrating access to BitLocker-protected Windows 11 systems using a USB-based attack path. Microsoft stated that public disclosure violated coordinated disclosure practices and released mitigation guidance while developing broader protections, according to coverage of the YellowKey disclosure.
The technical significance of the disclosures comes from how they target Microsoft's native security stack.
BlueHammer and RedSun focus on privilege escalation through Defender-related attack surfaces. Both chains are designed to move attackers from limited user access into SYSTEM-level execution, effectively bypassing operating-system trust boundaries, as detailed in technical research on BlueHammer and RedSun.
UnDefend attacks the defensive layer itself.
Instead of obtaining SYSTEM privileges directly, the technique reportedly disrupts Defender's ability to receive or process security updates, potentially reducing detection effectiveness and creating persistence opportunities for follow-on malware deployment, according to reporting on UnDefend exploitation.
YellowKey targets encryption trust assumptions.
Research published by Nightmare Eclipse claimed BitLocker-protected Windows 11 devices could be accessed through a USB-assisted attack chain involving Windows Recovery Environment behavior and Transactional NTFS mechanisms. Microsoft later released mitigation guidance that included modification of WinRE BootExecute entries to block the technique, according to Windows Central's report on YellowKey.
The broader concern is not any individual vulnerability.
The concern is that several disclosed flaws target Microsoft's own security controls, including Defender and BitLocker, which many enterprises rely upon as foundational protections, as emphasized in Microsoft's disclosure statement.
Microsoft's position is rooted in Coordinated Vulnerability Disclosure.
Under CVD, researchers privately disclose vulnerabilities, vendors investigate and develop mitigations, and technical details are released only after protections become available.
Microsoft argues that public exploit publication before remediation compresses defender response timelines while simultaneously expanding attacker visibility. The company specifically stated that exploit code publication created "unnecessary risk" for customers and forced internal teams to respond under emergency conditions, according to Microsoft's MSRC statement.
The company's argument gained additional weight after reports emerged that BlueHammer, RedSun, and UnDefend had already entered active exploitation environments. Huntress researchers reportedly observed broader intrusion activity involving affected environments rather than isolated proof-of-concept testing, according to TechRadar coverage of BlueHammer exploitation.
Nightmare Eclipse presents a very different narrative.
In multiple public statements and blog posts, the researcher alleges Microsoft repeatedly ignored communication attempts, demanded excessive reporting requirements, removed access to vulnerability-reporting accounts, and failed to provide compensation through existing bug-bounty programs, according to Tom's Hardware reporting.
The researcher further claims Microsoft deleted the account previously used for MSRC submissions and later removed associated GitHub content.
Following the GitHub removal, exploit repositories and research material migrated to GitLab and other platforms.
The researcher described Microsoft's actions as retaliatory and accused the company of publicly discrediting disclosed findings while simultaneously acknowledging the vulnerabilities through assigned CVEs and advisories, according to Windows Central coverage.
Microsoft has not publicly addressed the specific allegations regarding account removals, bounty disputes, or individual communications, according to TechCrunch reporting.
One of the most controversial elements of Microsoft's response was the inclusion of Digital Crimes Unit language.
The company stated that its DCU would continue bringing cases against threat actors and those enabling criminal activity while coordinating with law enforcement where necessary. Microsoft describes the unit as responsible for civil legal actions, technical disruption operations, criminal referrals, and public-private enforcement initiatives, according to reporting on Microsoft's warning.
Several industry voices interpreted the statement as an implicit warning directed toward researchers publishing exploit code.
Critics argued that invoking criminal-referral capabilities during an ongoing disclosure dispute risks creating a chilling effect around independent security research, according to industry commentary.
Microsoft's current position is consistent with a disclosure framework it has publicly promoted for more than a decade.
In 2010, the company formally adopted Coordinated Vulnerability Disclosure as a preferred model for vulnerability handling. Microsoft argued that coordinated disclosure balances transparency, vendor remediation, and customer protection while reducing opportunities for opportunistic exploitation, according to Microsoft's disclosure history.
The latest MSRC statement effectively reiterates the same position.
Microsoft maintains that public disclosure before remediation shifts risk onto customers and defenders, particularly when exploit code becomes readily accessible, according to Microsoft's MSRC statement.
The difference in 2026 is the operational environment.
Exploit development cycles have accelerated significantly, proof-of-concept code spreads almost instantly, and attackers increasingly weaponize public research within days or hours of publication. Those conditions have intensified long-standing tensions between independent researchers and major software vendors, according to The Hacker News coverage.
The Microsoft dispute emerges amid a broader rise in publicly released exploit research targeting endpoint security controls.
Related reporting across the security industry has documented increased focus on privilege-escalation chains, endpoint-protection bypasses, and post-exploitation techniques capable of disabling security products before ransomware deployment or lateral movement. Similar themes have appeared across coverage involving Defender, Zero-Day, BitLocker, and Exploits.
Those attacks increasingly target trusted operating-system components rather than traditional application vulnerabilities, allowing adversaries to inherit existing trust relationships and evade security controls.
The Microsoft-Nightmare Eclipse conflict is larger than a single researcher dispute.
At the center is a growing disagreement over who controls vulnerability timelines once a vendor has been informed of a security issue.
Microsoft argues that coordinated disclosure remains necessary to protect customers. Researchers increasingly argue that vendors can use disclosure processes to delay transparency, suppress findings, or avoid accountability for security failures.
The BlueHammer, RedSun, UnDefend, and YellowKey disclosures have now become a case study in that conflict.
What began as a series of Defender and BitLocker vulnerabilities has evolved into a public confrontation involving zero-day publication, exploit weaponization, bug-bounty disputes, account removals, Digital Crimes Unit warnings, and competing interpretations of responsible disclosure. The outcome will likely influence how future researchers handle high-impact Microsoft vulnerabilities and how vendors respond when disclosure disputes move into public view.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.