Between early April and mid-May 2026, a security researcher operating under the aliases "Nightmare Eclipse" and "Chaotic Eclipse" published weaponized proof-of-concept exploit code for six Windows zero-day vulnerabilities — deliberately timed to drop right after Microsoft's monthly Patch Tuesday updates. Three have been exploited in the wild. Three remain unpatched. Microsoft has threatened criminal charges. The security community is split. And administrators are left managing active risk with no vendor fix available.
This is the most consequential uncoordinated vulnerability disclosure campaign in years, and it's not over — the researcher is promising more.
The Six Vulnerabilities
Each exploit was released publicly with enough detail for skilled attackers to weaponize. The naming convention — color-themed codenames — adds a layer of theater to what is otherwise a serious operational security crisis.
Patched (3 of 6)
BlueHammer (CVE-2026-33825) — An elevation of privilege vulnerability in Microsoft Defender. This was the first drop, released April 2, and patched in the April Patch Tuesday update. CISA added it to the Known Exploited Vulnerabilities catalog after confirmed exploitation in the wild. It allows an authenticated attacker to escalate local privileges through Defender itself — the security tool becomes the attack vector.
RedSun — A second Defender-targeting exploit that essentially allows attackers to turn Defender into an attack tool against the users it's supposed to protect. Released April 15, the day of April's Patch Tuesday. Microsoft addressed it through a Defender Engine update (version 1.1.26040.8 or later). This update should be deployed immediately and not wait for a scheduled maintenance window.
UnDefend — The third Defender exploit in the set. Rather than a single-event privilege escalation, UnDefend allows attackers to gradually degrade Defender's ability to detect and protect against new threats — a slow poisoning of the endpoint's primary defense. Also addressed through a Defender Engine update.
Unpatched (3 of 6)
YellowKey — A BitLocker encryption bypass targeting Windows 11 and Windows Server 2022/2025. The exploit places specially crafted FsTx files on removable media (a USB stick), then abuses the Windows Recovery Environment (WinRE) boot behavior to open a command shell while the BitLocker-protected disk remains accessible. An attacker with physical access to a machine can bypass TPM-only BitLocker protection without needing credentials or a recovery key. The researcher described the vulnerable component as functioning like a "backdoor" because it exists only in WinRE. No CVE has been assigned. No patch is available.
GreenPlasma — A privilege escalation vulnerability in Windows CTFMON that allows an unprivileged user to create arbitrary memory-section objects in directory locations trusted by SYSTEM. The published PoC is deliberately incomplete — it lacks the component needed for a full SYSTEM shell — but provides enough for a skilled attacker to complete the chain. As one researcher noted: "if you're smart enough, you can figure out the rest." No CVE assigned. No patch available. No known mitigation.
MiniPlasma — Perhaps the most damning of the set. This is a weaponized exploit for CVE-2020-17103, an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver that Microsoft supposedly patched in 2020. The problem: Google Project Zero's original proof-of-concept exploit from 2020 still works without any modifications on current Windows builds. The five-year-old "fix" didn't actually fix it. Nightmare Eclipse weaponized the still-functional PoC into a full SYSTEM privilege escalation exploit.
The Combined Attack Chain
Individually, each vulnerability is serious. Together, they form a complete post-exploitation toolkit. GreenPlasma or MiniPlasma provides the privilege escalation — converting a low-privilege foothold into SYSTEM access on a running machine. YellowKey then defeats BitLocker, giving access to the encrypted disk. For targeted attacks — corporate espionage, stolen laptops, border crossing seizures — this combination eliminates the two layers organizations rely on most: privilege boundaries and disk encryption.
Microsoft's Response and the Community Backlash
Microsoft published a formal blog post on May 28 describing uncoordinated disclosures as "never justifiable" and warning that its Digital Crimes Unit could pursue criminal charges against those who enable criminal activity through exploit code. The company had Nightmare Eclipse's GitHub account suspended around May 23, followed by their GitLab account between May 26 and 27.
Nightmare Eclipse disputes Microsoft's framing. The researcher claims Microsoft deleted the Security Response Center account used to file the original bug reports and refused further contact. "You literally deleted the Microsoft account I used to report bugs to you with, and I got zero pennies from doing so," the researcher wrote.
The cybersecurity community's reaction has been mixed. Some researchers condemn the uncoordinated disclosure as reckless — weaponized PoCs released without vendor coordination put real organizations at risk. Others point to Microsoft's documented history of dismissing, delaying, or inadequately patching reported vulnerabilities. The MiniPlasma exploit — proving a 2020 patch never actually worked — lends credibility to the frustration, even if the disclosure method is indefensible.
What Administrators Should Do Now
For YellowKey (BitLocker bypass): Microsoft's interim mitigation requires manually editing the offline WinRE registry hive and stripping autofstx.exe from the BootExecute value. Configuring BitLocker with TPM+PIN pre-boot authentication eliminates the physical extraction route entirely. If your BitLocker policy is TPM-only (the default), your encrypted laptops are vulnerable to physical access attacks until this is patched.
For GreenPlasma (privilege escalation): No mitigation is available. Monitor for suspicious CTFMON activity and memory-section object creation in SYSTEM-trusted directories. This is a watch-and-wait situation until Microsoft releases a fix.
For MiniPlasma (Cloud Files Mini Filter Driver): The underlying vulnerability is CVE-2020-17103, which was supposedly patched five years ago. Monitor for a new patch. In the meantime, treat the Cloud Files Mini Filter Driver as an active attack surface for local privilege escalation.
For BlueHammer, RedSun, and UnDefend (Defender exploits): Ensure Defender Engine is updated to version 1.1.26040.8 or later. Do not wait for a scheduled maintenance window. If your Defender definition updates are delayed or gated, this is the time to push them immediately.
The Bigger Picture
Regardless of where you land on the ethics of uncoordinated disclosure, the operational reality is unchanged: three Windows zero-days have no patch, a five-year-old patch was proven ineffective, and the researcher is promising more. Microsoft's threat of criminal prosecution may deter some, but it doesn't fix the vulnerabilities.
This situation reinforces a principle that should already be baked into every security program: defense in depth cannot depend on any single vendor's patch cycle. When the vendor's patches are incomplete, delayed, or non-existent, your security posture depends on the layers you control — network segmentation, privilege management, physical security controls, endpoint detection beyond Defender, and the ability to deploy compensating controls faster than the attacker can exploit the gap.
The researcher has explicitly stated that the next Patch Tuesday will be "a big surprise for you, Microsoft." Plan accordingly.