Skip to main content
CybersecurityVulnerability Management

Microsoft Opposes Public Zero-Day Disclosures, Cites Customer Risk

Windows desktop and laptop setup with blurred screen, featuring a subtle security symbol.

CVE-2026-33825 — BlueHammer — is one of six Windows vulnerabilities publicly disclosed in recent weeks without prior notice to Microsoft, a disclosure the company says “put our customers at unnecessary risk.”

Microsoft’s stance on Coordinated Vulnerability Disclosure

Microsoft used the episode to reiterate its support for Coordinated Vulnerability Disclosure (CVD), urging researchers to share findings with affected vendors before making details public. In a statement, the company said the details of the vulnerabilities “were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.”

Microsoft added that, in response to the public disclosures, its “security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.” The company said it “firmly” opposes uncoordinated disclosures and warned that putting proof-of-concept code for unpatched vulnerabilities into the public domain can have “real-world consequences” when such code “end[s] up in the hands of bad actors.”

At the same time, Microsoft framed its approach as open to engagement: “We invite diverse perspectives that help the security community work together to protect everyone. We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue.”

The disclosed vulnerabilities: BlueHammer, RedSun and UnDefend among six named flaws

The researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) disclosed multiple zero-day vulnerabilities affecting several Windows components, including Defender and BitLocker. Microsoft listed six vulnerabilities by name: BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma.

Microsoft said that following disclosure BlueHammer, RedSun, and UnDefend “have all come under active exploitation in the wild.” The company described the disclosures as creating unnecessary risk and said its teams are attempting to assess impact and produce updates.

Chaotic Eclipse — the disclosure, complaints, and a July 14 warning

The researcher publicly framed the disclosures as the result of a breakdown in Microsoft’s handling of vulnerability reports. In a post published over the weekend, Chaotic Eclipse said Microsoft “refused, humiliated me, and made sure to insult me in front of people” after the researcher “actively asked you to communicate with me.”

That post also accused Microsoft of defamation tied to Microsoft’s advisory for CVE-2026-45585, and said Microsoft had deleted the Microsoft account the researcher used to report bugs: “You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.”

Chaotic Eclipse concluded the post with a specific future action and a threat: they said they “intend to release something on July 14, 2026, that 'will make sure your bones are shattered that day.'”

GitHub takedown, GitLab upload, and subsequent blocking

According to the account of events, GitHub took down the Chaotic Eclipse account last week. After the takedown, the exploit code for the six vulnerabilities was uploaded to GitLab, but the newly created GitLab account has since been blocked.

Microsoft characterized the public disclosures as unnecessary and harmful, and described ongoing defensive work by its security teams. The company also pointed to the places where these conversations and engagements normally occur — “researcher appreciation events, security conferences, and the everyday work we do together to understand and address vulnerabilities.”

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: Microsoft says its security teams are “working around the clock” to understand impact and develop security updates, which implies immediate triage, analysis, and patch development for the named CVEs.
  • Affected enterprises and procurement leaders: With BlueHammer, RedSun, and UnDefend reported as being actively exploited, organizations that run the affected Windows components will face urgent decisions about deploying mitigations and testing patches as they become available.
  • End users and the general public: Microsoft warned that uncoordinated disclosures and public proof-of-concept code can have “real-world consequences,” signalling elevated risk for users until patches are applied and exploit activity subsides.

The public standoff leaves a narrowly defined timeline and two clear, immediate facts: Microsoft says it did not receive vulnerability details before the public releases and is racing to produce fixes; Chaotic Eclipse says the researcher was rebuffed and has threatened a July 14, 2026 release. Whether that date brings more technical detail, working exploit code, or something else will shape the urgency of the response in the days ahead — even as Microsoft continues to press for coordinated disclosure and dialogue.

Source: https://thehackernews.com/2026/05/microsoft-slams-public-zero-day.html

Microsoft Opposes Public Zero-Day Disclosures, Cites Customer Risk | OSINTSights