Microsoft fixes high-severity zero-day disclosed by researcher Nightmare Eclipse

Microsoft patched a high-severity zero-day vulnerability on Tuesday, one of several publicly disclosed by a pseudonymous researcher called Nightmare Eclipse who has been in an escalating dispute with the software giant. A separate zero-day also appears to have been addressed in the same update cycle.

Nightmare Eclipse began publicly disclosing vulnerabilities in early April 2026, releasing proof-of-concept exploit code for flaws the researcher says Microsoft failed to properly address after an earlier arrangement between the two parties broke down.

The six disclosed vulnerabilities carry colorful codenames: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma. Each targets core Windows components.

BlueHammer, formally tracked as CVE-2026-33825, is a local privilege escalation vulnerability in Windows Defender. If an attacker already has basic access to your machine, this bug lets them promote themselves to administrator-level control. Microsoft patched BlueHammer during its April 2026 Patch Tuesday update cycle, with additional flaws addressed in subsequent releases.

At least three of the exploits, BlueHammer, RedSun, and UnDefend, were observed being used in real-world cyber intrusions by mid-April 2026.