Microsoft Zero-Day Exploits: Emergency Patches Issued After Nightmare-Eclipse Leaks

The global cybersecurity landscape has been thrown into disarray by a highly public, scorched-earth campaign that has forced emergency defensive responses across the globe. Rather than a quiet, state-sponsored cyber espionage operation, this massive disruption stems from a highly vocal personal grievance. A rogue security researcher, operating under the aliases Nightmare-Eclipse, Chaotic Eclipse, and Dead Eclipse, has unleashed a succession of devastating Microsoft zero-day exploits directly onto GitHub. Over a rapid six-week timeline, this threat actor has systematically dismantled core operating system security baselines by releasing six fully functional zero-day exploits. The campaign represents an alarming paradigm shift in offensive research: these exploits do not seek to bypass system controls, but rather to weaponize core Windows defensive systems—including Microsoft Defender, BitLocker, and the Windows Recovery Environment (WinRE)—against the operating system itself.

The motivation driving Nightmare-Eclipse is explicitly retaliatory. Having grown deeply frustrated with the bug-bounty and vulnerability-handling processes of the Microsoft Security Response Center (MSRC), the researcher opted to bypass coordinated vulnerability disclosures entirely. In doing so, Nightmare-Eclipse has established a “dead man’s switch” of pre-staged disclosures and publicly warned that subsequent waves may include remote code execution (RCE) flaws. This act of protest has created an immediate operational crisis for enterprise IT administrators. Threat intelligence firms, including Huntress and Cynet, have confirmed that active threat actors are integrating these public exploits into hands-on-keyboard intrusion campaigns within days, and sometimes hours, of their public drop.

The Weaponization of Defensive Systems: Analyzing the Microsoft Zero-Day Exploits

Among the six leaked exploits, Microsoft has rushed out security updates and emergency mitigations to address two newly designated zero-days affecting Microsoft Defender, alongside a highly critical flaw targeting BitLocker disk encryption. These vulnerabilities have been actively exploited by cybercriminals—frequently utilizing Russian-geolocated infrastructure—to execute privilege escalation and deactivate local defenses.

CVE-2026-41091: The “RedSun” Elevation of Privilege

Tracked as CVE-2026-41091, the “RedSun” exploit carries a CVSS score of 7.8 and targets the Microsoft Malware Protection Engine (version 1.1.26030.3008 and earlier). RedSun is a local privilege escalation (LPE) vulnerability that stems from an improper link resolution before file access, commonly known as a “link-following” weakness. In a typical execution environment, the Malware Protection Engine runs with the highest possible privileges to scan and manage system files. By exploiting this flaw, an authorized local attacker with low-level privileges can manipulate symbolic links or NTFS junctions. When the engine attempts to resolve these links, it inadvertently accesses target system files under the context of the elevated engine. This allows the attacker to hijack the execution flow, execute arbitrary code, and instantly elevate their access to the NT AUTHORITY\SYSTEM level, effectively seizing complete control over the compromised host.

CVE-2026-45498: The “UnDefend” Blind-Siding Exploit

Compounding the threat to endpoint defenses is CVE-2026-45498, codenamed “UnDefend”. Carrying a CVSS score of 4.0, this denial-of-service (DoS) flaw targets the Microsoft Defender Antimalware Platform (version 4.18.26030.3011 and earlier). While a denial-of-service vulnerability in an antivirus agent might initially seem low-priority, its operational impact is catastrophic. When executed, the UnDefend exploit degrades, quiets, and systematically disables Defender’s ability to download crucial malware definitions and signature updates. By forcing the platform into a degraded state, the exploit blinds the endpoint to newly compiled malware strains. This creates a quiet, unmonitored execution runway for threat actors, allowing subsequent payloads to run without triggering local heuristic or signature-based alerts.

CVE-2026-45585: The “YellowKey” BitLocker Security Bypass

Perhaps the most conceptually jarring disclosure of the campaign is the “YellowKey” exploit, now tracked as CVE-2026-45585 (CVSS 6.8). Disclosed by Nightmare-Eclipse on May 13, 2026, YellowKey allows any attacker with physical access to bypass BitLocker drive encryption on Windows 11 and Windows Server 2022/2025 systems. The mechanics of YellowKey rely on abusing the Windows Recovery Environment (WinRE) and a built-in behavior that many security researchers have compared to a backdoor.

To execute the attack, an adversary inserts a USB drive containing specially crafted File-System Transaction (FsTx) files into the target machine, reboots the system into WinRE, and holds down the CTRL key. During the boot process, WinRE automatically parses the System Volume Information\FsTx directory on the attached storage to replay NTFS transactional logs. The replayed transaction logs systematically delete winpeshl.ini, a critical configuration file that restricts the recovery environment’s user interface. Deprived of this configuration file, WinRE falls back to spawning an unrestricted, administrative command prompt (cmd.exe)