Microsoft Patches Some Vulnerabilities from Nightmare Eclipse, Others Left Unpatched

Microsoft has patched some vulnerabilities from anonymous security researcher going by the pseudonym Nightmare Eclipse, who published yet another vulnerability the same day.

The drama started with a blog post back in March from Nightmare Eclipse ominously titled “I never wanted to do this…”

I never wanted to reopen a blog and a new github account to drop code...

But someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.

Over the next few months, Nightmare Eclipse would post proof-of-concepts for severe zero-day exploits in Windows publicly on GitHub. They’ve since been deleted but, as is often the case on the internet, archives exist.

Typically, researchers will disclose the vulnerability first to the software owners, in this case Microsoft, and give a reasonable timeframe for them to patch it before publicly disclosing it.

In this case, however, Nightmare Eclipse was retaliating for a supposed breach of an arrangement they had made with Microsoft.

Microsoft responded saying they violated “coordinated vulnerability best practices,” followed by revoking their MSRC account.

Tuesday’s Windows update fixed several of the vulnerabilities that Nightmare Eclipse had released, one of which being CVE-2026-45586, also known as GreenPlasma. GreenPlasma is a local privilege escalation vulnerability, possibly allowing malware to gain full system access.

Microsoft also fixed MiniPlasma, a vulnerability that was apparently supposed to be patched by Microsoft years ago but Windows was still vulnerable to years later, with the original proof-of-concept from Google Project Zero still working fine.

Overall the patch fixed around 200 vulnerabilities, however several of Nightmare Eclipse’s exploits remain unpatched, such as YellowKey, a severe Bitlocker encryption bypass that lets attackers with physical access to your machine essentially completely bypass the encryption.

This one was so bad that they described it as “one of the most insane discoveries I ever found.”

Other unpatched vulnerabilities from the researcher include RedSun, an exploit in Defender that lets attackers gain administrator privileges, and BlueHammer.

With this patch Tuesday, Nightmare Eclipse released yet another new zero day, this time titled RoguePlanet, another Defender privilege escalation vulnerability.

It relies on a race condition, so it’s “hit or miss,” but they say it could be possible to design it to achieve a 100% success rate.

Microsoft is clearly struggling to keep up with the vulnerabilities. It’s not clear how much longer this feud will go on, but if one person is able to release vulnerabilities this consistently, maybe it reveals a systemic flaw in how Windows security works.