Briefing
Urgent Hacker News (front page) 29 May 2026 · 23:32 security 6/10

Microsoft Zero-Day Saga: Six Windows Vulnerabilities, Three Exploited, July 14 Threat

security
by Cider9986 · CVE-2026-45585

Patch all Windows systems against the six zero‑days, prioritising the three actively exploited ones (BlueHammer, RedSun, UnDefend) and YellowKey (CVE‑2026‑45585), and audit your vulnerability management to ensure coordinated disclosure.

What to do now

Patch all Windows systems against the six zero‑days, prioritise the three actively exploited ones and YellowKey, and review your vulnerability management process to enforce coordinated disclosure.

Summary

Microsoft disclosed six Windows zero‑day vulnerabilities—RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma—on 28 May 2026. Three of those, BlueHammer, RedSun and UnDefend, are already being actively exploited, while YellowKey (CVE‑2026‑45585) has a working proof‑of‑concept and is deemed likely to be exploited. The researcher, Nightmare Eclipse, released the exploits on a now‑banned GitHub account and threatened a “bone shattering” attack on 14 July. Microsoft responded with a blog on uncoordinated disclosure, threatened legal action via its Digital Crimes Unit, and announced that the researcher’s MSRC account was deleted.

Microsoft’s patch Tuesday includes fixes for some of the zero‑days but leaves GreenPlasma and MiniPlasma unfixed, and the company has criticised the bug‑bounty program for not compensating the researcher. Industry experts warn that the gap between disclosure and weaponisation is shrinking to hours, urging organisations to tighten their vulnerability management. The incident highlights the need for clear, coordinated disclosure processes and rapid patching to protect enterprise Windows environments.

Key changes

  • Six zero‑day vulnerabilities released: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, MiniPlasma
  • BlueHammer, RedSun, UnDefend are actively exploited
  • YellowKey (CVE‑2026‑45585) has a working proof‑of‑concept and is likely to be exploited
  • Microsoft’s blog on uncoordinated disclosure states none of the bugs were reported via official channels before publication
  • Microsoft threatened legal action through its Digital Crimes Unit and deleted the researcher’s MSRC account
  • Microsoft’s patch Tuesday includes fixes for some zero‑days but leaves GreenPlasma and MiniPlasma unfixed
  • The bug‑bounty program was criticised for not compensating the researcher
  • Industry experts warn that the disclosure‑to‑weaponisation window has shrunk to hours

Affects

internal enterprise

Customer impact

Analyzing matches…

Ask about this story

Impact on an agency? Which customers? Compare historically Risks of waiting