A researcher operating under the pseudonyms “Chaotic Eclipse” and “Nightmare-Eclipse” has publicly disclosed six Windows zero-day vulnerabilities (security flaws that have no patch available at the time of disclosure) since May 13, 2026, starting one day after Microsoft’s May Patch Tuesday — a deliberate timing choice to maximise the window during which the vulnerabilities remain unpatched. Microsoft removed the researcher’s GitHub account on May 23, and GitHub subsequently removed a GitLab account after the researcher migrated there. Three of the six disclosed vulnerabilities are now confirmed as actively exploited in the wild. Microsoft has issued a strongly worded public statement defending Coordinated Vulnerability Disclosure (CVD — the widely accepted practice of privately notifying a software vendor before publicly disclosing a security flaw, giving them time to release a patch). The researcher claims Microsoft failed to compensate them and has threatened an additional release on July 14, 2026.
// 01 Chaotic Eclipse Windows Zero-Days: What Was Disclosed
Over a two-week period from May 13 to May 27, 2026, Chaotic Eclipse disclosed six Windows vulnerabilities spanning Windows Defender, Windows 11, and Windows 10/Server:
| Vulnerability | CVE | Component | Impact | Patch Status |
|---|---|---|---|---|
| BlueHammer | CVE-2026-33825 | Windows Defender | Privilege escalation to SYSTEM | Patched (May Patch Tuesday) |
| RedSun | CVE-2026-41091 | Windows Defender | Privilege escalation to SYSTEM | Unpatched — actively exploited |
| UnDefend | CVE-2026-45498 | Microsoft Defender | AV evasion / Defender disruption | Unpatched — actively exploited |
| YellowKey | CVE-2026-45585 | Windows 11 BitLocker | BitLocker bypass (physical access) | Unpatched |
| GreenPlasma | None assigned | Windows 10/11/Server | Local privilege escalation (partial) | Unpatched |
| MiniPlasma | None assigned | Windows 11 (fully patched) | Full privilege escalation to SYSTEM | Unpatched |
The most dangerous from an active exploitation standpoint are RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498). RedSun allows a local attacker (an attacker with any standard user account on the machine) to escalate their privileges to SYSTEM (the highest level of access on a Windows machine, equivalent to root on Linux — allowing installation of software, modification of security settings, and access to all files). UnDefend enables an attacker to disable or manipulate Windows Defender (Microsoft’s built-in antivirus and EDR component) without triggering security alerts, creating a blind spot that facilitates subsequent malware deployment.
YellowKey (CVE-2026-45585) is particularly alarming for physical security scenarios: it allows an attacker with physical access to a Windows 11 laptop to bypass BitLocker (Microsoft’s full-disk encryption feature, widely used on enterprise laptops to protect data if the device is stolen) without knowing the encryption key. This has significant implications for lost or stolen corporate devices.
MiniPlasma is described as working on “fully patched” Windows 11 systems — meaning the vulnerability is present in Microsoft’s latest security update state, not just in unpatched or older systems.
// 02 The CVD Dispute: What the Researcher Claims
Chaotic Eclipse’s disclosures were accompanied by extensive public statements detailing their grievances with Microsoft’s Security Response Center (MSRC — the team responsible for receiving, triaging, and coordinating fixes for reported vulnerabilities). The core allegations:
- Payment dispute: The researcher claims Microsoft refused to pay bug bounties for the disclosed vulnerabilities. Microsoft’s bounty programme offers $30,000–$100,000 per endpoint zero-day (with higher rates for Hyper-V exploits). Chaotic Eclipse states they “got zero pennies” despite discovering six exploitable vulnerabilities.
- Communication breakdown: “When I actively asked you to communicate with me, you refused, humiliated me, and made sure to insult me in front of people,” the researcher wrote in a public post on their personal blog (deadeclipse666.blogspot.com) after their GitHub account was removed.
- Account retaliation: Chaotic Eclipse alleges that Microsoft deleted not only their GitHub account (GitHub is owned by Microsoft) but also their MSRC portal account — preventing them from accessing any records of their previous submissions. Both Microsoft and GitHub have not confirmed or denied the MSRC account deletion claim.
- Personal harm: The researcher states the dispute left them “homeless with nothing” and that someone “knew this will happen and they still stabbed me in the back.”
- July 14 threat: “Will make sure your bones are shattered that day,” the researcher wrote regarding a planned additional disclosure on July 14, 2026. They clarified this threat was specific to Microsoft.
// 03 Microsoft’s Position on CVD
Microsoft’s official statement, published May 15, 2026, is unambiguous: “In recent weeks, several zero-day vulnerabilities have been publicly disclosed. The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk. We remain firmly opposed to these actions.”
The statement frames CVD (Coordinated Vulnerability Disclosure) as the industry standard that protects users by giving vendors time to develop and test patches before vulnerabilities are publicly known. Microsoft emphasised that it works with “hundreds of security researchers” through CVD with “researcher compensation and public acknowledgment.”
Microsoft’s Digital Crimes Unit stated it is “actively pursuing legal action against individuals who enable exploitation through uncoordinated disclosure” — a position that has drawn criticism from some security researchers who note that legal threats against researchers tend to chill responsible disclosure programmes more broadly.
// 04 Security Community Reaction
The reaction in the security research community has been more sympathetic to Chaotic Eclipse than to Microsoft. Multiple researchers shared their own negative MSRC experiences publicly in response to the incident:
- Jason Lang (TrustedSec): “I’ve heard nothing but horror stories about those submitting to MSRC, so it’s no surprise that this would be the fallout.”
- Rémi Gascou (SpecterOps): Shared a case where Microsoft did not reward or acknowledge a disclosed command injection vulnerability, though it was patched a month later.
Historical complaints about MSRC include retroactive bounty rule changes (a researcher in 2021 reported Microsoft reduced a $100,000+ payout to much less after changing severity criteria post-submission), slow response times, and non-responsive MSRC leadership. These complaints predate Chaotic Eclipse and suggest systemic frictions between Microsoft’s security intake process and independent researchers.
The account ban has arguably backfired as an enforcement action. Security researchers cloned and redistributed the exploit code across multiple platforms after the removals — accelerating the spread of the weaponised code rather than containing it.
// 05 What Security Teams Must Do Now
- Apply the May Patch Tuesday updates if not already done. BlueHammer (CVE-2026-33825) is the only one of the six vulnerabilities with a current patch. Prioritise applying the May cumulative update to all Windows endpoints immediately.
- Deploy detection rules for RedSun and UnDefend. CISA and Microsoft have published emergency guidance covering CVE-2026-41091 (RedSun) and CVE-2026-45498 (UnDefend) given their active exploitation status. Search your SIEM (Security Information and Event Management) for the indicators of compromise published in Microsoft’s MSRC blog and CISA’s advisory.
- Enable Tamper Protection on Windows Defender immediately. Tamper Protection (Settings → Windows Security → Virus & Threat Protection → Manage Settings → Tamper Protection) prevents local attackers from disabling Defender without valid administrative credentials in a protected session. This does not fully mitigate UnDefend but raises the bar for exploitation.
- Apply BitLocker protections for physically accessible devices. Until YellowKey (CVE-2026-45585) is patched, consider disabling the UEFI pre-boot environment options that YellowKey exploits: enable Secure Boot, disable legacy boot modes, and require PIN-based pre-boot authentication (not just TPM-only unlock) on laptops that could be physically stolen.
- Monitor for privilege escalation activity. RedSun and MiniPlasma are local privilege escalation flaws. Watch for processes running under standard user contexts that spawn elevated child processes, unexpected SYSTEM-level command-line execution, or lateral movement following privilege escalation from workstation-level footholds.
- Prepare for a July 14 release. The researcher has threatened additional disclosures on July 14. Begin hardening Windows Defender configurations, auditing privileged access pathways, and ensuring your patch pipeline is set up to apply emergency out-of-band patches rapidly if Microsoft releases them in response to new disclosures.
// 06 Background: Understanding the Risk
The Chaotic Eclipse situation highlights a genuine tension at the heart of vulnerability disclosure. CVD works when vendors respond quickly, compensate fairly, and communicate professionally — reducing researcher incentive to publish unilaterally. When those conditions are absent, researchers with limited leverage may see public disclosure as their only effective recourse to force a patch.
Microsoft’s position — that uncoordinated disclosure “never justifies” the risk to customers — is ethically defensible but procedurally inconsistent. Researchers who have experienced bounty disputes, ignored submissions, or communication breakdowns with MSRC do not have access to the legal mechanisms that would allow them to enforce a vendor’s patching obligation. Public disclosure, with all its risks to users, remains the primary leverage available to independent researchers operating without institutional backing.
The practical consequence of this dispute — three actively exploited Windows zero-days with no available patches — is exactly the outcome CVD is designed to prevent. Whether responsibility for that consequence lies with the researcher, Microsoft, or both is a policy question; the operational reality for defenders is that Windows users are running systems with known, unpatched privilege escalation and AV evasion vulnerabilities being actively exploited.
// 07 Conclusion
Six Windows zero-days disclosed by researcher Chaotic Eclipse, three now actively exploited, with no patches available for five of them and an additional disclosure threatened for July 14. Security teams must apply the May Patch Tuesday update for BlueHammer, deploy detection for the unpatched RedSun and UnDefend exploits, and prepare for the possibility of further disclosures in six weeks. The broader CVD dispute reflects systemic frictions in Microsoft’s vulnerability intake process that the security research community has documented for years — and that this incident has now brought to a head in the most consequential way possible.
For any query contact us at contact@cipherssecurity.com