– Three unpatched Windows zero-days (YellowKey, GreenPlasma, MiniPlasma) pose active risks and need immediate mitigation.
– Microsoft’s threat of criminal prosecution against the researcher has backfired, drawing sharp criticism from the security community.
– The researcher claims Microsoft deleted their bug report account, disputing the company’s narrative of irresponsible disclosure.
– Microsoft previously hired a researcher (SandboxEscaper) who published zero-day code without warning, contradicting its current hardline stance.
– Administrators should apply Defender Engine version 1.1.26040.8 for RedSun/UnDefend and configure TPM+PIN to block YellowKey’s physical extraction route.
Microsoft Threatens Security Researcher Over Zero-Day Flaws
The software giant has been facing a massive backslash from the security community after it publicly threatend to seek criminal charges againt a researcher who disclosed six Windows zero-day vulnerabilities. This dispute has quickly turned into a full-scale backlash, with many experts criticizing Microsoft’s approach to handling the situation. Nightmare Eclipse, the researcher in question, published weaponized proof-of-concept code without coordinating with Microsoft.
Vulnerabilities and Their Current Status
Between early April and mid-May 2026, the researcher published exploit code for six Windows flaws, three of which—BlueHammer, RedSun, and UnDefend—have been exploited in real-world attacks. The remaining vulnerabilities, known as YellowKey, GreenPlasma, and MiniPlasma, have not yet been patched by the company. Microsoft has accused the researcher of bypassing coordinated disclosure standards and described the disclosures as “never justifiable” in a blog post published on May 28. The company warned it’s Digital Crimes Unit would pursue cases against anyone enabling criminal activity through exploit code.
- BlueHammer: Exploited in live attacks
- RedSun: Exploited, but Defender Engine version 1.1.26040.8 or later protects against it
- UnDefend: Exploited, covered by latest Defender updates
- YellowKey: Unpatched, requires manual editing of offline WinRE registry
- GreenPlasma: Unpatched, active risk for administrators
- MiniPlasma: Unpatched, threat of escalation to remote code execution
The Researcher’s Side of the Story
Nightmare Eclipse disputes Microsoft’s version of events, claming the company deleted the Security Response Center account used to file the original bug reports. “You literally deleted the Microsoft account I used to report bugs to you with, and I got zero pennies from doing so,” the researcher wrote. The security industry has largely sided with the researcher, with Katie Moussouris, who pioneered bug bounty programs at Microsoft, publicly criticizing the company’s blog post on Bluesky. She argued that invoking “responsible disclosure” was the first problem and that adding a prosecution threat would push researchers away from trusting Microsoft.
Industry Reactions and Precedent
Kevin Beaumont, a former Microsoft security engineer, described the situation as “a dumpster fire of their own making.” He noted that Microsoft previously hired SandboxEscaper after she published zero-day exploit code without warning, behavior the company now describes as criminal. Nightmare Eclipse was banned from GitHub around May 23 and GitLab on May 26-27, and now publishes from a personal blog. A July 14 exploit release targeting July’s Patch Tuesday remains a threat, with warnings of escalation to remote code execution vulnerabilities.
Recommended Actions for Administrators
Administrators should treat YellowKey, GreenPlasma, and MiniPlasma as active risks. For YellowKey, Microsoft’s mitigation requires manually editing the offline WinRE registry hive and stripping autofstx.exe from the BootExecute value. A TPM+PIN pre-boot configuration cuts off the physical extraction route entirely. Defender Engine version 1.1.26040.8 or later handles RedSun and UnDefend, and that update should not wait for a scheduled maintenance window.