A researcher operating under the handle Nightmare Eclipse has published technical details for six Microsoft vulnerabilities, including elevation-of-privilege flaws in Microsoft Defender and a Secure Boot disk-encryption bypass, and shipped full proof-of-concept code for some of them. Microsoft has confirmed the disclosures were not coordinated, meaning defenders and attackers learned about working exploit paths at the same moment. Coming on top of a rough stretch for Microsoft's own security stack, this is the kind of uncoordinated drop that turns a quiet patch cycle into an emergency one.
- Six Microsoft vulnerabilities were disclosed publicly, spanning privilege escalation in Defender and a Secure Boot bypass that undermines disk encryption.
- Proof-of-concept code accompanied some of the flaws, sharply lowering the barrier to exploitation.
- Microsoft confirmed the release was not coordinated, so there was no pre-patch window for defenders.
- It lands amid back-to-back Defender problems and active campaigns that disable Defender, Sysmon, and WAF before dumping credentials with Mimikatz.
What was disclosed?
The set spans two categories that matter most to defenders. The elevation-of-privilege bugs in Microsoft Defender let an attacker who already has a foothold climb to higher privileges, and Defender being the target is especially awkward because it is the security tool meant to stop exactly that. The Secure Boot disk-encryption bypass is more foundational: Secure Boot is a hardware-rooted trust chain, and a working bypass weakens assumptions that full-disk encryption and boot integrity rely on. With proof-of-concept code attached to some flaws, the practical distance between reading the writeup and running the exploit shrinks dramatically.
RelatedA CVSS 10 UniFi flaw exposes 100,000 gateways to takeover
Why is uncoordinated disclosure such a big deal?
Responsible disclosure exists to give vendors a private window to ship a fix before the details, and any exploit code, become public. That window is what protects ordinary users. When a researcher skips it, defenders and attackers get the same information at the same time, and the only variable is who moves faster. Microsoft confirming the drop was uncoordinated is its way of saying there was no advance warning to build detections or push patches. For security teams, that means the clock started the moment the writeup went live.
Why now, and who is exposed?
The timing compounds an already bad run. Microsoft has weathered back-to-back Defender issues, including the BlueHammer ransomware angle and a RoguePlanet zero-day, and researchers have observed campaigns that systematically disable Defender, Sysmon, and web application firewalls before dumping credentials with Mimikatz. Separately, CISA recently added a SharePoint remote-code-execution flaw, CVE-2026-45659, to its Known Exploited Vulnerabilities catalog after Microsoft initially rated exploitation "less likely." The through-line is that endpoint defenses and boot integrity, the layers organizations assume are solid, are the ones under pressure. Anyone running Windows endpoints with Defender as their primary protection should treat this as an active-risk window.
- RecentBack-to-back Defender flaws BlueHammer and RoguePlanet raise scrutiny
- Early JulySharePoint RCE added to CISA KEV CVE-2026-45659, actively exploited
- This weekNightmare Eclipse publishes 6 flaws PoC included, uncoordinated
- NextEmergency patches and detections Expect out-of-band fixes
- Out-of-band patches. Whether Microsoft breaks its normal cadence to ship fixes for the Defender and Secure Boot issues.
- Exploitation in the wild. How quickly the published PoCs show up in real intrusions and commodity toolkits.
- Detection coverage. Vendor and community rules for the specific techniques, since defenders start with no lead time.
What should security teams do right now?
Treat this as an open exploitation window and act on the parts you control before patches arrive. Prioritize monitoring on the endpoints where Defender is the primary protection, and specifically hunt for the disable-security-tools pattern researchers have flagged, attempts to turn off Defender, Sysmon, or a web application firewall, which frequently precede credential theft with Mimikatz. Tighten privilege boundaries so that a low-level foothold cannot trivially chain into the elevation-of-privilege bugs, and review who has local admin they do not need. For the Secure Boot bypass, inventory which machines rely on it as a load-bearing control for disk encryption and boot integrity, and flag them for priority patching the moment fixes land. Keep an eye on CISA's Known Exploited Vulnerabilities catalog and vendor advisories, since the SharePoint case shows the official severity rating can lag reality. None of this is exotic, and that is the point: the teams that weather uncoordinated disclosures well are the ones whose detection and least-privilege discipline was already in place, not the ones scrambling to invent it after the writeup drops.
RelatedGitea Docker flaw CVE-2026-20896 hands over admin access
Our take
Uncoordinated disclosure is a genuine ethical gray zone. Researchers who go public without a patch argue it forces slow vendors to act and exposes downplayed risk, and there is truth in that given the "less likely" rating on an actively exploited SharePoint bug. But shipping proof-of-concept code with no fix available also arms every opportunist at once, and the people who pay are ordinary users, not Microsoft. The defensible response for security teams is boring and effective: tighten endpoint monitoring, watch for the disable-Defender-then-Mimikatz pattern, and be ready to deploy out-of-band patches the moment they land. Assume the exploit window is open now.
- OfficialCISA Known Exploited Vulnerabilities Catalog CISA
- ReportSharePoint RCE added to CISA KEV after active exploitation The Hacker News
- ReferenceNational Vulnerability Database NIST NVD
Original analysis by GenZTech. Reporting via The Hacker News.
