Tag: Nightmare Eclipse

  • Microsoft reverses policy after rogue researcher Nightmare Eclipse

    Microsoft reverses policy after rogue researcher Nightmare Eclipse

    Key Takeaway

    – Microsoft reversed its aggressive legal stance against security researcher “Nightmare Eclipse” after industry backlash.
    – The company abandoned the term “responsible disclosure” and returned to its “Coordinated Vulnerability Disclosure” framework.
    – Microsoft admitted automated platform crackdowns fell short of professional standards and promised good-faith engagement.
    – Despite the policy retreat, the core threat remains: exploit developers are bypassing corporate reporting channels.
    – Nightmare Eclipse plans a June exploit targeting Secure Boot and BitLocker encryption on virtual machines.

    Microsoft Reverses Course on Security Researcher Threats

    Microsoft has officially backpedaled on its aggressive legal stance against the independent security researcher operating under the alias “Nightmare Eclipse.” Following severe industry backlash from the global cybersecurity community, the tech giant quietly scrubbed its recent corporate rhetoric that equated uncoordinated bug disclosures with malicious behavior. The sudden shift represents a major damage-control effort by Redmond to patch over rapidly deteriorating relations with external threat analysts and security professionals who form the backbone of modern software defense ecosystems.

    The Original Dispute and Escalation

    The dispute originally ignited after Nightmare Eclipse bypassed traditional corporate reporting channels to publish functional proof-of-concept code for several high-severity Windows flaws. The campaign successfully weaponized zero-day vulnerabilities in foundational defensive systems, deploying local privilege escalation chains such as BlueHammer (CVE-2026-33825) and the RedSun tool designed to blind Microsoft Defender. Microsoft’s initial retaliation—which included aggressive legal threats from its Digital Crimes Unit and sweeping account bans across code-hosting platforms such as GitHub and GitLab—drew widespread condemnation from enterprise security leaders, who warned that heavy-handed corporate bullying would stifle defensive research and leave active networks exposed to malicious actors.

    Policy Update and Lingering Threats

    In its latest policy update, Microsoft explicitly clarified that it has no intention of pursuing legal actions against individuals engaged in legitimate vulnerability identification. Notably, the software giant has completely abandoned the controversial term “responsible disclosure” from its official messaging channels. The company has instead pivoted back to its classic “Coordinated Vulnerability Disclosure” framework, admitting that some of its recent automated platform crackdowns fell short of professional community standards and promising a good-faith engagement strategy for reporting going forward.

    Unresolved Vulnerabilities and Future Exploits

    Despite Microsoft’s structural policy retreat, the underlying architectural threat vector remains unresolved. Nightmare Eclipse has ignored the corporate olive branch, confirming that multiple independent exploit developers are now funneling unpatched security bugs directly to them to avoid corporate reporting pipelines entirely. The pseudonymous developer has already teased an imminent June exploit payload targeting legacy Secure Boot lifecycle vulnerabilities, claiming the upcoming code drop will completely bypass BitLocker hardware encryption on operational virtual machines ahead of a forecasted mid-summer retribution deadline.

    Sources
    Tags: , , , ,
  • CISA Sets June 3 Deadline for Windows Defender Patch

    CISA Sets June 3 Deadline for Windows Defender Patch

    Key Takeaway

    – Federal agencies must patch RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) by June 3 to comply with CISA’s Binding Operational Directive 22-01.
    – RedSun grants SYSTEM privileges via the Defender tiering engine; UnDefend blinds Defender entirely, enabling ransomware or lateral movement.
    – Verify Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7 in Windows Security before the deadline.
    – Three unpatched zero-days remain: YellowKey (BitLocker bypass), GreenPlasma (CTFMON privilege escalation), and MiniPlasma (cldflt.sys exploit, works on fully patched Windows 11/Server 2022/2025).
    – Mitigate YellowKey immediately by disabling WinRE’s autofstx.exe and switching BitLocker from TPM-only to TPM+PIN.

    Federal Agencies Face Urgent Microsoft Defender Patches Deadline

    Federal agencies have until June 3 to apply fixes for two actively exploited Microsoft Defender vulnerabilities tied to the Nightmare Eclipse disclosure campaign. With that deadline 48 hours away, three additional Windows zero-days from the same researcher remain unpatched, and June 9 is the next opportunity Microsoft has to address them. The current situation demands immediante action from IT departments managing government systems.

    Background on the Nightmare Eclipse Campaign and CISA Involvement

    The saga began in early April when Nightmare Eclipse dropped BlueHammer (CVE-2026-33825), patched in the April 14 Patch Tuesday with its CISA deadline passing in early May. The current countdown is anchored by a separate CISA action on May 20, adding RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) to the Known Exploited Vulnerabilities catalog after Huntress confirmed active exploitation in real-world attacks. CISA mandated remediation under Binding Operational Directive 22-01 with a 14-day window. Thesse vulnerabilities are being actively used in attacks right now according to security researchers.

    Technical Details of RedSun and UnDefend Vulnerabilities

    RedSun targets the Defender tiering engine to escalate privileges to SYSTEM. UnDefend triggers a denial-of-service condition in the Antimalware Platform, blinding Defender entirely and creating a window for ransomware deployment or lateral movement without triggering alerts. Both vulnerabilities allow attackers to bypass critical security features in Windows Defender. The impact is severe for enterprise environments where Defender is a primary line of defense.

    Required Version Numbers for Patching

    Both are fixed in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. Verify those version numbers in Windows Security settings before June 3. Administrators should check these version numbers manually to ensure updates have been applied correctly. Failure to meet this deadline could result in compliance violations for federal agencies.

    Additional Unpatched Zero-Days From Nightmare Eclipse

    YellowKey (CVE-2026-45585) bypasses BitLocker on TPM-only systems via the Windows Recovery Environment, allowing physical access to unlock encrypted drives without a recovery key. GreenPlasma is a CTFMON privilege escalation flaw with no CVE and no patch. MiniPlasma re-exploits CVE-2020-17103 in cldflt.sys, a 2020 flaw whose patch was either incomplete or silently regressed. These vulnerabilities present serious risks for organisations that rely on BitLocker for data protection.

    Confirmed Exploitation on Modern Windows Systems

    ThreatLocker and Will Dormann confirmed it still produces a SYSTEM shell on fully patched Windows 11 and Windows Server 2022 and 2025. Windows 10 is unaffected, which matters for teams managing mixed fleets. This discrepency means administrators cannot assume all systems are equally vulnerable. Testing should be conducted on relevant operating systems to understand exposure.

    Mitigation Steps for YellowKey BitLocker Bypass

    For YellowKey, run reagentc /disable, mount the offline WinRE registry hive, remove autofstx.exe from BootExecute under ControlSet001ControlSession Manager, then run reagentc /enable to commit the change. Transition BitLocker from TPM-only to TPM+PIN wherever possible. This manual process is required until Microsoft releases an official patch. Organisations should prioritise this mitigation for high-security systems.

    Future Timeline for Remaining Vulnerabilities

    Nightmare Eclipse has signalled a July 14 release targeting that month’s Patch Tuesday. This provides a timeline for planning additional security updates. Cisa.gov Microsoft/CVE-2026-41091 Microsoft/CVE-2026-45498

    Sources
    Tags: , , , ,
  • Microsoft faces security backlash over Nightmare Eclipse

    Microsoft faces security backlash over Nightmare Eclipse

    Key Takeaway

    – Three unpatched Windows zero-days (YellowKey, GreenPlasma, MiniPlasma) pose active risks and need immediate mitigation.
    – Microsoft’s threat of criminal prosecution against the researcher has backfired, drawing sharp criticism from the security community.
    – The researcher claims Microsoft deleted their bug report account, disputing the company’s narrative of irresponsible disclosure.
    – Microsoft previously hired a researcher (SandboxEscaper) who published zero-day code without warning, contradicting its current hardline stance.
    – Administrators should apply Defender Engine version 1.1.26040.8 for RedSun/UnDefend and configure TPM+PIN to block YellowKey’s physical extraction route.

    Microsoft Threatens Security Researcher Over Zero-Day Flaws

    The software giant has been facing a massive backslash from the security community after it publicly threatend to seek criminal charges againt a researcher who disclosed six Windows zero-day vulnerabilities. This dispute has quickly turned into a full-scale backlash, with many experts criticizing Microsoft’s approach to handling the situation. Nightmare Eclipse, the researcher in question, published weaponized proof-of-concept code without coordinating with Microsoft.

    Vulnerabilities and Their Current Status

    Between early April and mid-May 2026, the researcher published exploit code for six Windows flaws, three of which—BlueHammer, RedSun, and UnDefend—have been exploited in real-world attacks. The remaining vulnerabilities, known as YellowKey, GreenPlasma, and MiniPlasma, have not yet been patched by the company. Microsoft has accused the researcher of bypassing coordinated disclosure standards and described the disclosures as “never justifiable” in a blog post published on May 28. The company warned it’s Digital Crimes Unit would pursue cases against anyone enabling criminal activity through exploit code.

    • BlueHammer: Exploited in live attacks
    • RedSun: Exploited, but Defender Engine version 1.1.26040.8 or later protects against it
    • UnDefend: Exploited, covered by latest Defender updates
    • YellowKey: Unpatched, requires manual editing of offline WinRE registry
    • GreenPlasma: Unpatched, active risk for administrators
    • MiniPlasma: Unpatched, threat of escalation to remote code execution

    The Researcher’s Side of the Story

    Nightmare Eclipse disputes Microsoft’s version of events, claming the company deleted the Security Response Center account used to file the original bug reports. “You literally deleted the Microsoft account I used to report bugs to you with, and I got zero pennies from doing so,” the researcher wrote. The security industry has largely sided with the researcher, with Katie Moussouris, who pioneered bug bounty programs at Microsoft, publicly criticizing the company’s blog post on Bluesky. She argued that invoking “responsible disclosure” was the first problem and that adding a prosecution threat would push researchers away from trusting Microsoft.

    Industry Reactions and Precedent

    Kevin Beaumont, a former Microsoft security engineer, described the situation as “a dumpster fire of their own making.” He noted that Microsoft previously hired SandboxEscaper after she published zero-day exploit code without warning, behavior the company now describes as criminal. Nightmare Eclipse was banned from GitHub around May 23 and GitLab on May 26-27, and now publishes from a personal blog. A July 14 exploit release targeting July’s Patch Tuesday remains a threat, with warnings of escalation to remote code execution vulnerabilities.

    Recommended Actions for Administrators

    Administrators should treat YellowKey, GreenPlasma, and MiniPlasma as active risks. For YellowKey, Microsoft’s mitigation requires manually editing the offline WinRE registry hive and stripping autofstx.exe from the BootExecute value. A TPM+PIN pre-boot configuration cuts off the physical extraction route entirely. Defender Engine version 1.1.26040.8 or later handles RedSun and UnDefend, and that update should not wait for a scheduled maintenance window.

    Sources
    Tags: , , , ,