Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
What’s new: Microsoft has criticized the public disclosure of multiple zero-day vulnerabilities affecting Windows components, including Defender and BitLocker, by researcher Chaotic Eclipse. The company emphasizes the importance of Coordinated Vulnerability Disclosure (CVD) to mitigate risks to customers. The vulnerabilities disclosed include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma. Following these disclosures, some vulnerabilities are reportedly under active exploitation.
Who’s affected
Organizations using Microsoft Windows components, particularly those relying on Defender and BitLocker, are at risk due to the disclosed vulnerabilities. The uncoordinated nature of the disclosures has raised concerns about the potential for exploitation by malicious actors.
What to do
- Monitor for updates from Microsoft regarding patches for the disclosed vulnerabilities.
- Implement security measures to mitigate risks associated with the vulnerabilities, especially for affected Windows components.
- Encourage a culture of coordinated vulnerability disclosure within your organization and with external researchers.
