What Happened
A researcher known as Nightmare-Eclipse published proof-of-concept exploit code for six Windows vulnerabilities, including the BitLocker YellowKey bypass, the GreenPlasma CTFMON privilege escalation, and the MiniPlasma cldflt.sys zero-day targeting fully patched Windows 11 systems. All three remain unpatched as of June 4, 2026. Microsoft’s Security Response Center condemned the disclosures in a blog post, calling uncoordinated releases “never justifiable.” Microsoft’s Digital Crimes Unit then issued statements that the security community widely read as threats of criminal prosecution against the researcher.
The security research community responded immediately and forcefully. Researchers, vendors, and industry bodies pointed out that Microsoft’s framing — casting PoC publication as criminal activity — creates a chilling effect on legitimate vulnerability research. On June 2, 2026, Microsoft issued a follow-up statement asserting it has “no intention to pursue action against individuals conducting or publishing security research,” a significant retreat from its earlier position.
The underlying vulnerabilities remain unpatched. Microsoft had not assigned CVE identifiers to several of the flaws as of the researcher’s disclosure, meaning they received no coordinated remediation timeline from Microsoft before becoming public.
Why This Matters for Canadian Organizations
Canada has a growing and internationally respected security research community. Researchers at Canadian universities, security firms, and independent labs regularly discover and disclose vulnerabilities in widely deployed software. The threat — even if ultimately walked back — of criminal prosecution by a major software vendor for publishing research sets a precedent with direct implications for Canadian researchers.
Canadian researchers operate under both Canadian and potentially U.S. law when their disclosures involve U.S. companies and U.S.-hosted infrastructure. The Computer Fraud and Abuse Act in the United States has historically been used to threaten or prosecute security researchers, and Microsoft’s Digital Crimes Unit explicitly invoked its cross-border reach. This episode is a reminder for Canadian security professionals that responsible disclosure processes, documented research timelines, and legal counsel are not optional safeguards for high-stakes vulnerability work.
For Canadian organizations that depend on Windows, the practical takeaway is more immediate: three unpatched local privilege escalation and BitLocker bypass vulnerabilities with public exploits now exist for fully patched Windows 11 and Windows Server 2025. The legal dispute does not change the exposure.
What to Do
Monitor Microsoft’s security advisories and Patch Tuesday releases for formal patches addressing the Nightmare-Eclipse disclosures. In the interim, review your BitLocker deployment posture — TPM-only mode without a PIN is at heightened risk from the YellowKey bypass. Restrict physical access to sensitive systems where possible, as several of the outstanding exploits require local access. Canadian security teams engaged in vulnerability research should document their disclosure timelines carefully and consider seeking legal guidance before publishing PoC code for unpatched commercial software vulnerabilities.
Source: SecurityWeek, Dark Reading, The Register
