Microsoft Tries to Calm Legal Threat Fears After Zero-Day Disclosure Backlash

Microsoft has responded to backlash over its threats of legal action against researchers who publicly disclose zero-day vulnerabilities without coordinated notification.

The controversy concerns a researcher known online as Chaotic Eclipse and Nightmare Eclipse, who in recent weeks disclosed the details and proof-of-concept (PoC) exploits for several unpatched vulnerabilities affecting Microsoft products.

Details remain unknown, but it appears there was a disagreement between the researcher and Microsoft during a vulnerability disclosure process. The researcher then decided to release the details of several vulnerabilities that had not been reported to Microsoft.

The list includes RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), BlueHammer (CVE-2026-33825), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma.

Most of these vulnerabilities can be exploited to escalate privileges. YellowKey allows an attacker to bypass BitLocker protection, and UnDefend is a Microsoft Defender denial-of-service (DoS) vulnerability.