Microsoft Condemns Public Zero-Day Disclosures After GitHub Takedown

Microsoft has strongly advocated for Coordinated Vulnerability Disclosure (CVD) following a public disclosure of multiple zero-day vulnerabilities affecting Windows components, including Microsoft Defender and BitLocker. The tech giant urged the research community to share findings privately with vendors before public disclosure, emphasizing that uncoordinated releases unnecessarily expose customers to risk. This statement comes after researcher Chaotic Eclipse (aka Nightmare-Eclipse) published details of six unpatched vulnerabilities over the past month, citing frustration with Microsoft's vulnerability handling process.

The disclosed vulnerabilities include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma. According to Microsoft, BlueHammer, RedSun, and UnDefend are already under active exploitation in the wild. The company stated that its security teams have been working around the clock to assess impact, protect customers, and develop security updates. Microsoft firmly opposes the public release of proof-of-concept code for unpatched vulnerabilities, warning that such actions have "real-world consequences" when weaponized by malicious actors.

The fallout from these disclosures led GitHub to remove Chaotic Eclipse's account last week. The exploit code was subsequently uploaded to GitLab, where the newly created account has also been blocked. The researcher accused Microsoft of deleting their bug reporting account and defaming them publicly through CVE advisories while receiving no compensation for their vulnerability reports. Chaotic Eclipse announced plans to release additional content on July 14, 2026, without elaborating on specifics. Organizations concerned about exposure from such vulnerabilities can use tools like email breach checkers and DNS leak tests to assess their security posture.