Microsoft Tries to Calm Legal Threat Fears After Zero-Day Disclosure Backlash
Microsoft backtracks on legal threats against researcher disclosing unpatched zero-days
Summary
Microsoft faced backlash after threatening legal action against researcher Nightmare Eclipse for publicly disclosing multiple unpatched zero-day vulnerabilities affecting Microsoft products without coordinated notification. The researcher had disclosed six vulnerabilities (CVE-2026-41091, CVE-2026-45498, CVE-2026-33825, CVE-2026-45585, GreenPlasma, MiniPlasma) following a dispute with Microsoft over compensation and communication. After criticism from the security community, Microsoft clarified it has no intention to pursue legal action against security researchers, but will target those engaging in malicious activity.
Full text
Microsoft has responded to backlash over its initial threats of legal action against researchers who publicly disclose zero-day vulnerabilities without coordinated notification. The controversy concerns a researcher known online as Chaotic Eclipse and Nightmare Eclipse, who in recent weeks disclosed the details and proof-of-concept (PoC) exploits for several unpatched vulnerabilities affecting Microsoft products. Details remain unknown, but it appears there was a disagreement between the researcher and Microsoft during a vulnerability disclosure process. The researcher then decided to release the details of several vulnerabilities that had not been reported to Microsoft. The list includes RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), BlueHammer (CVE-2026-33825), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma. Most of these vulnerabilities can be exploited to escalate privileges. YellowKey allows an attacker to bypass BitLocker protection, and UnDefend is a Microsoft Defender denial-of-service (DoS) vulnerability. Microsoft has begun releasing patches and mitigations for the vulnerabilities, but several have already been exploited in the wild, including BlueHammer, RedSun, and UnDefend.Advertisement. Scroll to continue reading. The researcher has expressed deep disgruntlement with Microsoft, accusing the company of humiliating them, ignoring their communications, failing to compensate them for reported vulnerabilities, and publicly defaming them. Microsoft, on the other hand, is unhappy with Nightmare Eclipse’s approach, saying the researcher exposed customers to unnecessary risk. The company disabled the researcher’s account on its vulnerability reporting portal and on GitHub, where the PoC exploits had been released and which Microsoft owns. “We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences,” Microsoft said in a blog post dated May 27. The tech giant added, “Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.” This remark sparked discussion and backlash, with some members of the cybersecurity community viewing it as a threat of legal action for disclosing unpatched vulnerabilities. “I’m deeply uncomfortable with Microsoft attempting to weaponize their extensive law enforcement contacts to arrest people who post zero days in the products,” researcher Kevin Beaumont commented. Florian Roth, head of research at Nextron Systems, noted, “Maybe Nightmare Eclipse was unreasonable. Maybe Microsoft was. Maybe both. But I think Microsoft badly misjudged this situation.” “When you’re the largest software vendor on the planet, you don’t get to behave like an angry individual in an internet argument. You have to be the adult in the room,” Roth added. “Deleting repositories, talking about criminal investigations and turning the whole thing into a public fight was a mistake. The damage from that goes far beyond this one researcher.” In response to the backlash, Microsoft issued clarifications via X on June 1. The company affirmed its deep appreciation for the security research community and acknowledged that relationships between researchers and vendors can sometimes be challenging. “To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.” It added, “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.” In response to Microsoft’s post, Nightmare Eclipse suggested on X that the company did file legal action against them over the disclosures. The researcher plans on releasing a full BitLocker bypass later this month. Related: Oracle WebLogic Vulnerability Exploited in the Wild Related: Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs Dashlane Brute-Force Attack Leads to Limited Encrypted Vault DownloadsVulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance RateRomanian Hacker Sentenced to Prison in US for Selling Access to State NetworkLA Metro Cyberattack Linked to Iranian State-Sponsored HackersAnthropic Releases New Claude Sandbox, Security Guidance PluginAnthropic Expands Claude’s Enterprise Security Governance With 28 New IntegrationsGhost CMS Vulnerability Exploited to Hack Over 700 WebsitesOncology Institute Discloses Data Breach Latest News Trump Signs Executive Order That Invites Vetting of Top AI Models for National Security RisksTwo New Reports Offer Competing Explanations for Cybersecurity’s Growing CrisisExclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at RiskAndroid Update Patches Exploited Zero-Day, 123 Other VulnerabilitiesAnthropic Expanding Mythos Access to 150 New OrganizationsThe Zero-Knowledge Threat Actor and the End of Responsible DisclosureCritical Vulnerability in HP VoIP Phones Enables Enterprise Network BreachesOracle WebLogic Vulnerability Exploited in the Wild Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register Virtual Roundtable: CISO Forum 2026 Mid-Year Review June 10, 2026 Explore how attackers are using AI to scale threats and how security teams can respond with AI-driven defenses. Protecting against unmonitored use of generative AI (Shadow AI) in business units and building and enforcing AI governance frameworks. Register People on the MoveRapid7 announced that Wael Mohamed will assume the role of Chief Executive Officer, replacing current Chief Executive Officer Corey Thomas, who will become Executive Chairman of the Board.Anurag Jain has been appointed Senior Vice President of Engineering at CodeHunter.CTERA has appointed Tal Sarfaty as Senior Vice President of Cybersecurity.More People On The MoveExpert Insights The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising the Cybersecurity Stakes: Ante up for the Agen
Indicators of Compromise
- cve — CVE-2026-41091
- cve — CVE-2026-45498
- cve — CVE-2026-33825
- cve — CVE-2026-45585
- malware — GreenPlasma
- malware — MiniPlasma