Microsoft shipped fixes Tuesday for a high-severity local privilege escalation vulnerability publicly detailed weeks earlier by an independent researcher. The patch arrived amid an increasingly bitter public dispute that has laid bare tensions in how the software giant handles vulnerability reports.
The researcher, known online as Nightmare Eclipse, first disclosed the flaw along with limited proof-of-concept code in May. Microsoft assigned it CVE-2026-45586 and labeled it GreenPlasma. The bug allows attackers with low-level access to bypass protections and obtain full SYSTEM privileges on Windows machines. Such access often paves the way for installing persistent malware or conducting deeper system compromise.
But this single patch tells only part of a larger story. Over recent months Nightmare Eclipse has released details on multiple high-impact Windows flaws. Several became active zero-days. Microsoft has scrambled to analyze, mitigate and patch them after public release rather than through its standard coordinated process. And the exchanges between the two sides have grown heated. Accusations of bad faith, deleted accounts, withheld payments and reputational harm now fly openly.
The latest fixes came as part of Microsoft’s regular Patch Tuesday release. One addressed the GreenPlasma issue directly. Signs point to a separate zero-day also tied to the researcher receiving attention in the same batch. Security teams welcomed the updates. They also noted the uncomfortable precedent. When researchers lose patience with vendors, customers bear the interim risk.
Nightmare Eclipse maintains that Microsoft reneged on an earlier arrangement. The researcher provided reports expecting compensation and proper acknowledgment. Instead, the company allegedly deleted the associated Microsoft account used for submissions. No bounty arrived. Public statements from Redmond appeared to dismiss the findings or question their validity. “When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people,” the researcher wrote on a personal blog, according to reporting by The Register.
Microsoft pushed back. In a late May blog post the company stressed the value of coordinated vulnerability disclosure. It argued that public releases without prior notification expose customers to unnecessary danger. “In recent weeks several zero-day vulnerabilities have been publicly disclosed. The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk,” the post stated. The company said its teams worked around the clock to develop protections. It stopped short of naming Nightmare Eclipse directly but left little doubt about the target. (Microsoft Security Response Center)
The response ignited further controversy. Security professionals accused Microsoft of threatening legal action against the researcher. Some interpreted language in the blog as preparation for law enforcement involvement. The backlash proved swift. Within days Microsoft walked back its stance. “To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” the company posted on X. The statement came via its security response account rather than the official blog. The Record covered the reversal in detail.
This episode fits a pattern. Nightmare Eclipse, also posting as Chaotic Eclipse or Dead Eclipse, has dropped at least six Windows-related vulnerabilities since early April. Names such as BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma and MiniPlasma now circulate in security circles. Some enabled defense evasion or targeted components like Microsoft Defender and BitLocker. YellowKey carried a warning of higher exploitation likelihood because a working proof-of-concept existed. Microsoft has patched some. Others remain open or only partially addressed.
The researcher has signaled plans for more releases. One promised disclosure involves a Secure Boot bypass that could defeat BitLocker encryption entirely. Another threat mentioned a major drop scheduled for mid-July. Such warnings keep pressure on Microsoft. They also raise questions about the researcher’s motivations. Revenge appears to play a role. Yet the technical quality of the findings has drawn respect from parts of the community even as the tactics spark debate.
Independent observers point to systemic problems. Vendor bounty programs sometimes undervalue certain classes of bugs. Communication breakdowns occur too easily. Researchers who feel ignored or insulted may choose public disclosure as leverage. “CVD is a two-way street. The vendor has some responsibility as well,” one commenter noted on Hacker News threads discussing the feud. When trust collapses, everyone loses time that could have gone toward quieter fixes.
Microsoft’s June patches demonstrate the company can move quickly once flaws reach public view. The updates also highlight the cost. Enterprises must deploy them rapidly across millions of systems. Threat actors gain a window between researcher publication and patch availability. Some flaws had already seen exploitation reports before fixes landed.
Security teams now watch this rivalry with a mix of fascination and concern. Will the researcher continue the campaign? Has Microsoft repaired enough bridges to slow the releases? One thing looks clear. The incident exposes limits in the current disclosure system. Researchers hold powerful cards when they discover deep Windows flaws. Vendors that alienate them invite chaos.
And the patches keep coming. But the underlying friction remains. Nightmare Eclipse has claimed other companies could get dragged in. That prospect adds another layer of unease for the industry. For now, defenders focus on applying Tuesday’s fixes. They also study the public proof-of-concepts to understand detection opportunities. The rivalry has produced useful technical data even if the method of delivery leaves scars.
Future interactions between large software makers and independent hunters will likely feel the impact. Greater transparency in bounty decisions, faster initial responses and clearer escalation paths could reduce such public battles. Until then, episodes like this one serve as expensive reminders. Zero-days don’t wait for perfect processes. Neither do the people who find them.
WebProNews is an iEntry Publication