Researcher Releases Six Uncoordinated Windows Zero‑Day Vulnerabilities, Microsoft Labels Disclosures ‘Never Justifiable’
What Happened – A pseudonymous researcher, “Nightmare Eclipse,” published six Windows zero‑day flaws on GitHub between April and early July, providing full proof‑of‑concept code. Three of the flaws (BlueHammer, UnDefend, RedSun) have already been exploited in the wild and appear on CISA’s catalog of known exploited vulnerabilities. Microsoft publicly condemned the uncoordinated releases and warned its Digital Crimes Unit may pursue legal action against the researcher and any enablers.
Why It Matters for TPRM –
- Uncoordinated zero‑day disclosures give threat actors immediate, exploitable tools against a ubiquitous platform.
- Exploited flaws can cascade through supply‑chain relationships, impacting any third‑party that relies on Windows‑based services or products.
- Legal and reputational risk rises when vendors are forced to respond to public, unpatched exploits.
Who Is Affected – Enterprises across all sectors that run Microsoft Windows (technology SaaS providers, financial services, healthcare, government, education, etc.).
Recommended Actions –
- Review contracts for clauses requiring timely vulnerability disclosure and coordinated remediation.
- Verify that your organization’s patch management processes can ingest emergency patches within days of a vendor’s advisory.
- Assess exposure to the specific CVEs (see Microsoft Security Advisory) and prioritize remediation for any affected assets.
Technical Notes – The six vulnerabilities span privilege‑escalation and remote‑code‑execution vectors; three have public CVE identifiers and are listed in CISA’s KEV catalog. No patches exist for the three most recent flaws (YellowKey, GreenPlasma, MiniPlasma). Source: The Record