Microsoft Zero-Day Feud: Six Windows Flaws Disclosed

by

Six Windows Zero-Days Dropped Without Warning; Three Are Now Actively Exploited

Three Windows zero-day vulnerabilities disclosed publicly without prior notice to Microsoft are now being actively exploited in the wild. The situation has triggered a sharp public response from Microsoft and a growing controversy over vulnerability disclosure ethics, GitHub account takedowns, and a researcher threatening further releases. For Canadian organizations running Windows environments, the exposure window is open right now.

The Vulnerabilities: Six Flaws, Three Under Active Attack

A researcher operating under the handle Chaotic Eclipse (also known as Nightmare-Eclipse) released details on six Windows vulnerabilities over the past month, none of which were shared with Microsoft before going public. Three of those six have since been picked up by threat actors and are being exploited in live attacks.

The full list of disclosed flaws spans two critical Windows components:

BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498) all affect Microsoft Defender and have confirmed active exploitation. YellowKey (CVE-2026-45585) targets BitLocker, Microsoft’s full-disk encryption feature present on virtually every enterprise Windows deployment. GreenPlasma and MiniPlasma round out the six, with MiniPlasma enabling SYSTEM-level privilege escalation on fully patched Windows systems.

The combination of Defender bypass and BitLocker circumvention capabilities in this disclosure batch is particularly serious. Defender is the frontline endpoint protection on most Canadian SMB networks and many mid-market organizations. A working bypass opens the door to malware delivery without detection. A BitLocker bypass undermines the primary encryption protection many organizations cite for PIPEDA compliance when handling sensitive personal data.

Microsoft Pushes Back on Uncoordinated Disclosure

Microsoft’s security response team issued a formal statement condemning what it characterized as reckless, uncoordinated disclosure that placed customers in immediate danger. The company stated that its security teams were forced into around-the-clock response efforts to understand the scope of each vulnerability and develop protective measures, all while those flaws were already in the hands of potential attackers.

The company’s position is grounded in its longstanding support for Coordinated Vulnerability Disclosure (CVD), a framework under which researchers report findings privately to the vendor and agree on a disclosure timeline that gives the vendor time to patch before public release. Microsoft framed CVD not as a mechanism to suppress findings but as a shared responsibility model designed to prevent customers from being caught between a live exploit and an unavailable patch.

The company acknowledged it does not expect to agree with every researcher on every issue but reaffirmed its commitment to open dialogue through researcher events, security conferences, and formal vulnerability reporting channels.

The Researcher’s Side: A Breakdown in Communication

The researcher at the center of this controversy has a different account of how events unfolded. In a post published over the weekend, Chaotic Eclipse described a pattern in which requests for communication with Microsoft were met with silence, dismissal, and what the researcher characterized as public humiliation.

The researcher stated that the Microsoft account used to report vulnerabilities was deleted, cutting off the formal reporting channel. Bug reports submitted to Microsoft’s Vulnerability Research team went uncompensated, a point the researcher made with evident frustration. The researcher also took issue with the wording of Microsoft’s advisory for CVE-2026-45585, alleging that it misrepresented their involvement.

The GitHub account connected to the researcher was removed last week, with all exploit repositories taken offline. The researcher subsequently moved the code to GitLab, but that newly created account was also blocked. The researcher has announced plans to release additional material on July 14, 2026, warning that it will be significant.

Microsoft has not publicly commented on the account removal or the July 14 announcement.

Canadian Impact: Enterprise and Government Exposure

The scope of these vulnerabilities reaches deep into Canadian infrastructure. Windows remains the dominant operating system across Canadian federal and provincial government departments, financial institutions, healthcare networks, and SMBs. Any unpatched system running Microsoft Defender is potentially exposed to the three actively exploited flaws. Any organization relying on BitLocker as part of its data protection posture needs to assess YellowKey exposure urgently.

Under PIPEDA and the updated Consumer Privacy Protection Act (CPPA) framework, organizations are required to maintain appropriate safeguards for personal information. A successful Defender bypass that leads to malware execution and data access, or a BitLocker bypass that allows unauthorized access to encrypted drives, would constitute a security safeguard failure. If personal information is accessed or exfiltrated as a result, breach notification obligations are triggered.

The Canadian Centre for Cyber Security (CCCS) has consistently advised organizations to prioritize patching of actively exploited vulnerabilities and to treat endpoint protection bypass capabilities as critical severity regardless of formal CVSS scoring. The three actively exploited flaws in this disclosure batch meet that threshold directly.

Canadian IT administrators should also be aware that the existence of publicly available exploit code for GreenPlasma and MiniPlasma, even without confirmed active exploitation at the time of writing, means the window between disclosure and weaponization is extremely short. The CCCS guidance on patch prioritization applies in full.

The Broader Disclosure Debate

This incident brings a long-running tension in the security research community into sharp relief. Coordinated disclosure has broad support in principle, but it depends on vendors engaging with researchers in good faith, providing timely feedback, offering reasonable compensation where appropriate, and not retaliating against researchers who go public when private channels fail.

When those conditions break down, researchers are left with few options. Some argue that full public disclosure is the only leverage available to force a vendor’s hand. Others, including Microsoft, maintain that no matter how frustrating the process, releasing exploit code for unpatched vulnerabilities places real users and organizations at risk before they have any means of protecting themselves.

Both positions have merit. What is not debatable is that three Windows flaws are now being actively exploited, and every day an organization remains unpatched is a day threat actors have an operational advantage.

Key Takeaways

  • Six Windows zero-day vulnerabilities were disclosed publicly without prior notification to Microsoft by researcher Chaotic Eclipse; three (CVE-2026-33825, CVE-2026-41091, and CVE-2026-45498) are now confirmed under active exploitation.
  • The affected components include Microsoft Defender and BitLocker, two security controls that sit at the core of most Canadian enterprise and SMB security architectures.
  • Microsoft has formally condemned the disclosures as uncoordinated and harmful, stating its security teams were forced into emergency response mode without the standard lead time provided under Coordinated Vulnerability Disclosure (CVD).
  • The researcher claims Microsoft deleted their reporting account, ignored communications, and publicly mischaracterized their work, and has announced additional releases planned for July 14, 2026.
  • Canadian organizations relying on BitLocker for PIPEDA encryption compliance should assess exposure to CVE-2026-45585 (YellowKey) immediately, as a successful bypass directly undermines stated data protection safeguards.
  • Exploit code for all six vulnerabilities was available on GitHub before removal and subsequently on GitLab, meaning threat actors had direct access to weaponizable code.
  • The CCCS guidance on priority patching of actively exploited vulnerabilities applies in full; organizations should treat all three confirmed exploitation cases as critical regardless of their assigned CVSS score.

What You Should Do Now

  1. Patch Microsoft Defender immediately. Prioritize applying the security updates for CVE-2026-33825, CVE-2026-41091, and CVE-2026-45498. These three flaws are actively exploited and represent a direct risk of endpoint protection bypass.
  2. Assess BitLocker deployment and review CVE-2026-45585 (YellowKey) exposure. If your organization cites BitLocker encryption as a safeguard in your PIPEDA or CPPA data protection documentation, a successful bypass undermines that compliance posture. Review and apply Microsoft’s published mitigation for this flaw.
  3. Apply updates for GreenPlasma and MiniPlasma now, not on the next scheduled patch cycle. Exploit code for both was publicly available for a window of days. Even without confirmed active exploitation at the time of writing, the risk of imminent weaponization is high.
  4. Audit your Windows Update and endpoint patching coverage. These disclosures highlight how quickly public exploit code translates to active attacks. Identify any Windows endpoints not receiving timely updates, including remote workers, branch offices, and legacy systems.
  5. Review your vulnerability disclosure and threat intelligence monitoring posture. Your security team should be tracking CCCS alerts and Microsoft MSRC advisories in near-real-time. Detections for Defender bypass behaviors and BitLocker circumvention attempts should be active in your SIEM or EDR platform.
  6. If you have not applied MiniPlasma patches, treat any SYSTEM-level privilege escalation alerts as critical. MiniPlasma enables privilege escalation on fully patched systems before the fix. Endpoint detection rules should be updated immediately to flag related behaviors.
  7. Prepare your breach response documentation. If any of the actively exploited Defender flaws resulted in malware execution on systems processing personal data, your organization’s PIPEDA breach assessment obligations have potentially already been triggered. Review incident response procedures now.

Leave a Comment