A security researcher published six Windows exploits between April and May 2026. Several were being used by real attackers within days. Three still have no complete fix.

If you use Windows, this affects you. More than a billion people still do.

What means zero-day

Zero-day means zero days to fix it before it’s public. The patch doesn’t exist yet. Attackers already have the exploit.

The specific flaws here are LPE vulnerabilities. Local Privilege Escalation. If someone already has access to your machine, they can use these to take full control. Admin rights. System-level access. Everything.

Windows Defender and the Windows kernel are both affected.

The six exploits

The researcher goes by Nightmare Eclipse (also Chaotic Eclipse, Dead Eclipse). Starting April 2, 2026, they published six tools in roughly six weeks.

Bluehammer exploits a timing flaw in Windows Defender and grants full system control. This one was patched in the April 2026 Patch Tuesday update. It’s also on CISA’s Known Exploited Vulnerabilities list — confirmed used in real attacks.

Red Sun abuses a Defender file-recovery feature to inject code at the highest system level. No patch.

Undefend silently freezes Defender’s signature update pipeline. No security warnings appear. Your protection just stops working in the background. Also unpatched.

The remaining three — Yellow Key, Green Plasma, and Mini Plasma — have no official fixes either. Microsoft has flagged Yellow Key as “more likely” to be exploited in practice, since a working proof-of-concept is already public.

Hunter Labs confirmed active exploitation of Bluehammer, Red Sun, and Undefend by April 10. The attack chain: compromised Fortigate VPN credentials for initial access, then these exploits to escalate privileges once inside.

How we got here

Security research has a standard practice. You find a flaw, you report it privately, the vendor gets time to fix it, then everything goes public — usually around 90 days, ideally alongside a patch.

That’s not what happened here.

Nightmare Eclipse claims Microsoft’s Security Response Center ignored their reports. Their MSRC account was suspended. Reportedly, MSRC asked for a video demonstration of the exploit before they’d even look at it — an unusual requirement that drew criticism from the broader security community.

On March 26, the researcher posted a public warning: the exploit would be released if MSRC didn’t respond. According to their account, MSRC didn’t. On April 2, Bluehammer was public.

Five more followed.

Microsoft’s version is different. The MSRC blog states the vulnerabilities were not shared with Microsoft before publication, and that the disclosures put customers at unnecessary risk. Uncoordinated, unjustifiable — that’s the MSRC framing.

Both things can be partly true. The researcher’s approach was reckless. Microsoft’s process may have failed before that point. I don’t know what actually happened between them. I doubt many do.

Microsoft’s response

Swift. And not subtle.

Microsoft deleted Nightmare Eclipse’s GitHub account. GitHub belongs to Microsoft, so that’s within their power. The GitLab account followed shortly after.

The MSRC statement went further: Microsoft said it would pursue publishers of uncoordinated exploit disclosures, including through cooperation with law enforcement worldwide.

That’s a threat of prosecution.

The problem with threatening researchers

Legal action against a security researcher signals just one thing… stupidity.

A legal guide from the Harvard Law School Cyberlaw Clinic and the Electronic Frontier Foundation puts it plainly: organizations that threaten researchers with lawsuits see fewer responsible disclosures in the future. Researchers stop reporting. Or they report to someone else. Or they sell to someone you really don’t want to have the exploit.

Organizations with mature security programs generally don’t go the legal route. Because they understand what that costs them long-term.

MSRC was historically one of those mature programs. A serious institution, decades in the making. Which makes this response harder to explain.

What you should do right now

If you’re on Windows, a few things are worth checking.

The April 2026 Patch Tuesday update covers Bluehammer. If you haven’t installed it, do that now. Also make sure Windows Defender’s platform is current, not just the definitions.

For Yellow Key, there’s no full patch yet. Setting a BitLocker startup PIN and a BIOS/UEFI password limits the attack surface in the meantime.

For Red Sun and Undefend, there’s no complete fix. Apply updates as fast as possible when they arrive, and watch the next Patch Tuesday. That’s about it.

In enterprise environments, it’s worth checking whether any Fortigate VPN credentials were compromised. That was the confirmed entry point in the known attacks.

And mark July 14, 2026. Nightmare Eclipse has announced another disclosure that day, patched or not.

The Bottom Line

Publishing unpatched exploits harms real people. There’s no way around that, and Microsoft is right about that part.

But a company that responds to a researcher with account deletion and legal threats, rather than communication, isn’t making anyone safer. It also doesn’t fix any of the issues.

If MSRC’s process is broken, fixing it matters more than winning this particular fight. Because there will be a next researcher. And they’ll be watching how this one ended.

I personally stopped using Windows. This situation wasn’t the main reason. But I sure as hell am glad I did.