Technology

Microsoft criticizes leaked zero-day exploits as attacks hit Windows tools

A leaked Windows zero-day dispute turned into real-world attacks, raising a sharper fight over when disclosure protects users and when it puts them at risk.

Marcus Williams··2 min read
Published
Listen to this article0:00 min
Microsoft criticizes leaked zero-day exploits as attacks hit Windows tools
AI-generated illustration

Microsoft moved to cast a public leak of Windows exploit code as a threat to customers, not a victory for transparency, after a researcher known as Nightmare Eclipse posted proof-of-concept code tied to unpatched flaws in Windows Defender and BitLocker. In a May 27 blog post from its Security Response Center in Redmond, Washington, Microsoft said recent zero-days had been disclosed publicly without first being shared with the company, leaving customers exposed instead of protected.

The dispute centered on a string of vulnerabilities with names that read like a dossier of escalating alarms: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma and MiniPlasma. Microsoft said some of the bugs had already been used by hackers in real-world attacks, and at least some were also flagged as exploited by CISA. One April 17 report said Huntress saw attackers abusing exploit code that had been published online, even as BlueHammer had already been patched by Microsoft by that point.

AI-generated illustration
AI-generated illustration

Nightmare Eclipse’s releases sharpened a familiar divide in cybersecurity. Microsoft argued the researcher did not follow coordinated vulnerability disclosure practices, while security researchers and observers warned that slow vendor response can leave public disclosure as the only pressure point that forces action. The dispute also widened beyond code. The researcher’s GitHub and GitLab accounts were reportedly banned after the leaks, intensifying concerns that the case could chill independent vulnerability research.

Microsoft responded with a more aggressive warning. In a May 29 report, the company said its Digital Crimes Unit would continue bringing cases against actors and those who enable criminal activity, while coordinating with law enforcement as needed. The unit says it has operated since 2008 and uses civil legal actions, technical countermeasures, criminal referrals and public-private partnerships to disrupt cybercrime.

One of the most visible examples in the dispute was YellowKey, described as a BitLocker bypass affecting Windows 11 and Server 2022 and 2025. Microsoft later shared mitigations for that flaw. BleepingComputer and XDA Developers also linked the episode to a broader pattern of public proof-of-concept releases arriving before all systems were patched.

The clash now stands as a live test of cyber norms. Microsoft is arguing that publication without warning can endanger users when zero-days are active. The security community is countering that transparency can force faster fixes when vendors move too slowly. With attackers already using some of the code, the stakes extend beyond corporate reputation to the basic question of how public safety is best protected when an exploit is already in the wild.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More in Technology