Microsoft Spent Six Weeks Trying to Criminalize the Researcher Who Found Its Defender Bugs. This Week's Record 208-CVE Patch Tuesday Quietly Fixed Them.

On Tuesday Microsoft shipped the largest Patch Tuesday in its history — two hundred and eight CVEs, beating the previous record of one hundred and seventy-seven — and buried in that pile are fixes for a family of Microsoft Defender and Windows vulnerabilities that the company spent the previous six weeks insisting were so dangerous to disclose that it banned the researcher who found them off GitHub and GitLab, revoked his vulnerability-reporting account, and referred him to its Digital Crimes Unit. The patch is the part that matters, because you do not ship an emergency out-of-band fix and then a record-breaking batch of follow-ups for bugs that were not real. The patch is Microsoft admitting, in the only language that counts, that the findings were correct. And it admitted it the same month it was trying to turn the finder into a criminal.

The Thread We Have Been Pulling Since April

We did not arrive at this on Tuesday. A researcher operating as Chaotic Eclipse — later also called Nightmare-Eclipse — began dropping Microsoft Defender zero-days in early April, and we started writing about the first one, BlueHammer, on April 17, when it was tracked as CVE-2026-33825: a race condition in Defender's malware-cleanup engine that escalates a low-privileged user to SYSTEM on fully patched Windows. By April 26 we had named the working set — BlueHammer, RedSun, UnDefend — as a single campaign against Defender itself. On May 20 we indexed an IOC in our corpus, defender-attack-surface-campaign-2026-05-20, naming the five-CVE family and the two that CISA promoted to the Known Exploited Vulnerabilities catalog that day. The broad trade press caught up about eight days later. That is roughly forty days of lead time, and we are not citing it for a victory lap; we are citing it because it means the bugs were known, named, and in some cases already exploited in the wild long before Microsoft's record patch run — which makes the "disclosure put customers at unnecessary risk" framing very hard to take at face value.

What Actually Got Fixed

The one bug under confirmed active exploitation in Tuesday's release is CVE-2026-41091 — RedSun, a Defender elevation-of-privilege flaw from the same researcher cluster — and Microsoft had already patched it out-of-band on May 19, with CISA adding it to the KEV catalog on May 20. Tuesday's batch rolled in the rest of the family: the Windows BitLocker security-feature bypasses tracked as CVE-2026-50507 and CVE-2026-45585, which correspond to the codenames the researcher published as GreenPlasma, YellowKey, and Bitskrieg, alongside MiniPlasma. UnDefend, the Defender denial-of-service piece, sits in the catalog as CVE-2026-45498. Read that list against the timeline and the shape is unmistakable: Microsoft patched, across an out-of-band emergency fix and the largest Patch Tuesday it has ever published, essentially the entire set of vulnerabilities it had spent six weeks characterizing as reckless to talk about.

There is also a genuinely dangerous new bug in the same release that has nothing to do with the feud and everything to do with your weekend: CVE-2026-45657, a Windows Kernel remote code execution flaw rated CVSS 9.8, wormable, exploitable remotely without authentication, granting code execution at SYSTEM. It is publicly disclosed but not yet exploited, which is exactly the window that matters. If you patch one thing off this Patch Tuesday before you finish reading, patch that — it is the EternalBlue-shaped precondition, and the gap between disclosure and a working worm is the most expensive real estate in security.

The Witch Hunt

Here is the part that should bother every defender who has ever filed a bug report. Around May 23 GitHub removed Nightmare-Eclipse's account; GitLab followed on the 26th or 27th. Microsoft revoked his access to the Microsoft Security Response Center portal — the official channel through which researchers are supposed to report vulnerabilities — and then invoked its Digital Crimes Unit, the arm that handles criminal referrals and law-enforcement coordination, while publicly stating that the vulnerabilities "were not shared with Microsoft prior to release" and "put our customers at unnecessary risk." The cybersecurity community's response was open fury, and the trade press from TechCrunch to The Register covered Microsoft threatening a security researcher with criminal investigation. Strip away the codenames and the sequence is simple: a company shipped software with privilege-escalation holes in its own security product, a researcher found them, and the company's most forceful, best-resourced response was aimed not at the holes but at the person who pointed at them.

This is the double standard that sits underneath our whole operation, and it is worth saying plainly. The people who build defensive capability and find real flaws get account bans and crimes-unit referrals. The incentive that produces is catastrophic: it teaches every competent researcher that the safe move is to sell the bug quietly to someone who will never tell Microsoft, rather than disclose it and risk being made an example. A vendor that punishes disclosure does not get less disclosure. It gets less disclosure to itself, and the same findings priced into a gray market it cannot see.

The Part Where We Refuse to Cheerlead

We are not going to hand the researcher a halo, because the honest read cuts both ways and ninety-five percent honesty is the only kind worth printing. Nightmare-Eclipse did not just disclose — he published weaponized exploit code for unpatched flaws and has promised another drop on July 14 with language about making sure Microsoft's "bones are shattered." Dumping working SYSTEM-level exploits for unpatched bugs into the open does put real users at real risk in the interval before a patch exists, and a revenge-timed release calendar is not a responsible-disclosure model anybody should celebrate. Both things are true at once: Microsoft's handling of the disclosure was vindictive and is now visibly contradicted by its own patch notes, and the researcher's scorched-earth retaliation is the predictable, ugly output of a process that broke down on both ends. The failure is the relationship, not just one party in it.

The reason this matters beyond one feud is that the disclosure relationship between vendors and researchers is load-bearing infrastructure for everyone who runs the software, and it is corroding in public. When the official reporting portal becomes a thing that can be revoked as punishment, and the crimes unit becomes a tool aimed at finders rather than at attackers, the researchers who keep us safest learn to go quiet — and quiet is the one state in which a vulnerability is most valuable to the people who mean you harm. Microsoft patched the bugs this week. The thing it has not patched is the incentive structure that turned a bug report into a manhunt, and that is the one that will keep costing the rest of us long after CVE-2026-41091 is closed.

What a Defender Should Do

Patch the wormable kernel RCE, CVE-2026-45657, first and now, because the disclosure-to-worm window is open and that is the bug in this batch with the worst blast radius. Apply the full Defender and BitLocker set — RedSun, the GreenPlasma and YellowKey and Bitskrieg BitLocker bypasses, UnDefend — because privilege escalation flaws in your security product are the rung attackers climb after they get a foothold, and Defender being the attack surface is no longer a hypothetical we are floating; it is a five-CVE pattern with most of the family now on KEV. And take the meta-lesson into your own program: the researchers probing your environment are not your adversaries, and the day you treat a good-faith bug report like an attack is the day your best external eyes start looking somewhere else. Microsoft just spent six weeks demonstrating the wrong way to handle the people who find your flaws, and then quietly proved them right. Learn from the whole sequence, not just the patch.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register