Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
20MAY

A handle keeps dropping MS zero-days

3 min read
09:58UTC

A researcher operating as Nightmare Eclipse has published a run of uncoordinated Microsoft zero-day disclosures since March. Microsoft says a fix for the latest is in development.

TechnologyDeveloping
Key takeaway

One handle has published five uncoordinated Microsoft zero-day disclosures since March; several specifics remain contested.

A researcher operating as Nightmare Eclipse has, since March, published a run of Microsoft zero-day disclosures with no Microsoft fix in place at the time of release, a series now circulating as Chaotic Eclipse 1. Each was a zero-day, meaning the researcher published the flaw before Microsoft had a patch ready. According to SecurityWeek, which has carried the primary reporting, the disclosures follow a dispute over Microsoft's bug-bounty handling 2. The researcher claims five exploits in the series: BlueHammer, RedSun, YellowKey, GreenPlasma, and RoguePlanet 3. The verifiable part is the run itself, five uncoordinated disclosures attributed to one handle against one vendor since March, and Microsoft has publicly restated its opposition to uncoordinated disclosure 4.

Two accounts of the latest entry conflict. This beat reported RoguePlanet in June's Patch Tuesday coverage as an actively-exploited Defender flaw at CVSS 9.6 . The Nightmare Eclipse research describes RoguePlanet differently, as CVE-2026-50656, a TOCTOU (time-of-check-to-time-of-use) race in Windows Defender rated CVSS 7.8, which the researcher says is unpatched with no confirmed exploitation in the wild 5. A TOCTOU race exploits the gap between when a programme checks a resource and when it uses it. Microsoft says a fix is in development and has set no date 6.

Those two accounts cannot both be right, and Lowdown is not resolving the CVSS number or the patch status here. Where the figures conflict between this briefing's earlier reporting and a single research source, they are flagged as claims rather than settled facts, and readers should treat them that way until Microsoft confirms a CVE, a severity, or a patch.

Deep Analysis

In plain English

Windows Defender is the antivirus and security software built into every Windows PC and server. It runs continuously in the background with high system privileges. A flaw in it can give an attacker the highest level of control over the machine, which makes Windows Defender a frequent target for researchers and attackers alike. A researcher called Nightmare Eclipse claims to have found such a flaw, called CVE-2026-50656, and published details publicly without giving Microsoft a chance to fix it first. This follows four previous similar disclosures since March 2026, all apparently stemming from a dispute over how much Microsoft paid the researcher for finding vulnerabilities. Microsoft says it is working on a fix but has not said when it will be ready. Until the patch arrives, any Windows user worldwide is potentially at risk from this unpatched flaw. The details are disputed: Microsoft's own June Patch Tuesday described what appears to be the same Windows Defender flaw but rated it as more severe and said it was already being exploited. Nightmare Eclipse's account rates the flaw as less severe and says it is not being exploited. Both cannot be fully correct.

What could happen next?
  • Risk

    Windows Defender is present on virtually every Windows installation; an unpatched SYSTEM-privilege flaw with public details and no vendor fix available creates an exposure window for every Windows endpoint and server globally until Microsoft ships the patch.

  • Precedent

    The Chaotic Eclipse series of five consecutive uncoordinated disclosures establishes a documented model for using serial zero-day publication as a leverage mechanism against vendors following bug-bounty disputes; if the model is not disrupted, it will attract imitators.

First Reported In

Update #8 · CISA tears up the KEV deadline rulebook

SecurityWeek· 24 Jun 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.