Nightmare Eclipse: 8 Zero-Days Against Microsoft in 10 Weeks

A solo researcher dropped 8 zero-days against Microsoft in 10 weeks. Each one timed to Patch Tuesday. The campaign, dubbed Nightmare Eclipse, exposed structural flaws in the Windows security ecosystem that go beyond individual patches. We tracked each disclosure, and the lesson is clear: applying patches is not the same as having defensive coverage.

The 8 zero-days — what each one does

The campaign covers a broad attack surface: privilege escalation, disk encryption bypass, antivirus degradation, and re-exploitation of old flaws. According to the researcher, here are the details:

1. BlueHammer (April 3): LPE to SYSTEM via Defender Engine. CVE-2026-33825. Patched in the April Patch Tuesday.
2. RedSun (April 16): LPE to SYSTEM via Defender Engine. CVE-2026-41091. Patched in the June Patch Tuesday.
3. UnDefend (April 16): Defender degradation + signature update blocking. CVE-2026-45498. Patched in June.
4. YellowKey (May 13): BitLocker bypass via WinRE. CVE-2026-50507. Patched in June.
5. GreenPlasma (May 13): LPE to SYSTEM via CTFMON. CVE-2026-45586. Patched in June.
6. MiniPlasma (May 13-14): Re-exploitation of CVE-2020-17103 (cldflt.sys), an original Google Project Zero flaw. According to the researcher, the 2020 patch was apparently never applied correctly. Patched in June.
7. RoguePlanet (June 10): TOCTOU in the Defender scan/quarantine pipeline → SYSTEM on fully patched Windows 11, including KB5094126 from the June Patch Tuesday. Race condition with variable reliability — 100% on some machines, inconsistent on others. Does not work on Windows Server. No CVE. No patch.
8. GreatXML (June 11): BitLocker bypass via Defender offline scan artifacts on the recovery partition. Requires prior administrative access — this is post-compromise persistence, not initial access. No CVE. No patch. According to Will Dormann, a respected vulnerability analyst, the bypass could not be reproduced as described. The researcher asked for help finding an alternative trigger. Practical reliability is questioned.

Active exploitation — when the zero-day stops being theoretical

Three of these vulnerabilities have already been observed in real intrusions. According to Huntress Labs, BlueHammer, RedSun, and UnDefend were used in documented attacks on April 17 — before many administrators even knew the PoCs existed. According to CISA, BlueHammer was added to the Known Exploited Vulnerabilities (KEV) catalog on April 22. According to Kaspersky, MiniPlasma was in active exploitation since April 10.

Speed is what matters. The researcher published BlueHammer on April 3. Huntress documented exploitation on April 17. CISA added it to KEV on April 22. From disclosure to the federal catalog: 19 days. For organizations relying on monthly patching cycles, that is an eternity.

RoguePlanet — the zero-day that works on patched Windows 11

RoguePlanet is the most relevant for anyone defending Windows workstations today. Microsoft silently hardened Defender in mid-May, patching the mpengine!SysIO* API that blocked junction-based attacks. The researcher rewrote the exploit in approximately 3 weeks to bypass the hardening. The Defender signature (Exploit:Win32/DfndrRugPlnt.BB) detects only the compiled binary, not the underlying technique.

This means the technique remains viable even with the signature active. An attacker who recompiles the exploit or modifies the binary bypasses detection. The race condition in the scan/quarantine pipeline is a vulnerability class, not an isolated bug — and vulnerability classes are not resolved with signatures.

According to Picus Security, the central insight is: "Patch parity is not coverage parity." Applying patches does not equate to having defensive coverage against the underlying technique class. Microsoft closed one junction attack door in May; RoguePlanet opened another. The June Patch Tuesday fixed GreenPlasma and YellowKey; it left the RoguePlanet path open.

The tension between security research and corporate accountability

According to reports from the security community, Microsoft threatened criminal action on May 28 against the researcher. After significant negative reaction from the security community, the company backtracked, stating it has no intention of prosecuting individuals who publish security research, according to Microsoft. The researcher, however, claims Microsoft filed legal action. According to reports from the security community, GitHub and GitLab removed the repositories under pressure. The researcher migrated to self-hosted git.

This episode reveals a structural tension: when the security vendor is also the target, the dynamic between disclosure and accountability shifts. The security community needs independent research to identify flaws the vendor missed — or deprioritized. Criminalizing that research does not eliminate vulnerabilities; it just keeps them invisible.

What to do now

At Tech86, our position is straightforward: layered security is not optional when Defender itself is the attack vector. An independent EDR with its own telemetry does not depend on the same engine being exploited. When Defender is blind — from a crash via UnDefend, escalation via RedSun, or race condition via RoguePlanet — EDR keeps detecting.

Verify Engine is at 1.1.26040.8+ and Platform at 4.18.26040.7+, according to Microsoft. Monitor Event IDs 2001/2002/2003 for update failures and 4672 for privilege escalation. Audit BitLocker policies and WinRE partition protection. And never assume a fully patched endpoint is secure — RoguePlanet proved that patched is not the same as protected.