Microsoft threatens cybersec researchers over leaked Windows exploit code

Microsoft’s threats against a security researcher raised a sharper question than a single leaked exploit: whether the company is discouraging the very people who help make Windows safer before criminals find the same flaws first. The dispute centered on Nightmare Eclipse, also known as Chaotic Eclipse, who posted exploit code for several Windows vulnerabilities after saying Microsoft had mistreated them and allegedly cut off access to their Microsoft Security Response Center account.

That matters because Microsoft’s own security framework is built around responsible reporting. The Microsoft Security Response Center says its Coordinated Vulnerability Disclosure program is designed to let researchers identify and report security flaws, while Microsoft’s Digital Crimes Unit says it has operated since 2008 and uses civil legal actions, technical countermeasures, criminal referrals and public-private partnerships to fight cybercrime. In this case, that enforcement machinery became part of the controversy, with Microsoft warning that it would continue pursuing cases against actors and those it says enable criminal activity.

Microsoft’s public response named four vulnerabilities in the dispute: BlueHammer, RedSun, UnDefend and YellowKey. TechCrunch said the flaws affected Windows Defender and BitLocker, and that Microsoft claimed some of the vulnerabilities were later used by hackers in real-world attacks. The stakes rose further after CISA added CVE-2026-33825, a Microsoft Defender elevation-of-privilege vulnerability, to its Known Exploited Vulnerabilities Catalog on April 22, 2026. Microsoft’s Security Update Guide lists the same issue with a current release date of April 30, 2026.

YellowKey drew particular attention because Yahoo News UK reported that Microsoft described it as a BitLocker bypass that could allow access to a Windows system drive. The same report said the issue carried a CVE score of 6.8, was classified as moderate and required physical access to the device. Microsoft said the disclosure violated coordinated vulnerability disclosure best practices, underscoring the company’s position that researchers should report flaws privately before public release.

The dispute had been building for months before the late-May escalation. TechCrunch reported that the researcher’s GitHub and GitLab accounts were banned after they publicized unpatched bugs in Microsoft products and posted exploit code. For Microsoft, the fight is about process and control. For security researchers, it is about whether disclosure channels remain open enough to surface weaknesses before attackers weaponize them. As the record of active exploitation shows, that tension reaches far beyond one account ban and one company.