zero day3 articles
Microsoft Threatened a Security Researcher With Criminal Charges. It Did Not Go Well.
An anonymous security researcher known as "Nightmare-Eclipse" published six zero-day exploits for unpatched Windows vulnerabilities after claiming Microsoft failed to address the reported bugs, prompting Microsoft's Security Response Center to condemn the actions and hint at potential criminal prosecution. This sparked widespread backlash from the cybersecurity community, with prominent researchers arguing that threatening legal action against security researchers discourages responsible disclosure and pushes researchers toward selling vulnerabilities to malicious actors instead. Microsoft subsequently walked back its position, clarifying it had no intention of pursuing action against researchers conducting legitimate security research.
KnowledgeDeliver Zero-Day Let Attackers Walk In With Keys They Already Had
Threat actors exploited a zero-day vulnerability (CVE-2026-5426) in KnowledgeDeliver, a widely used LMS, by leveraging hardcoded machineKey values in its ASP.NET configuration to mount ViewState deserialization attacks and deploy Godzilla web shells. The attackers used the web shells to modify system permissions, inject malicious scripts, and ultimately install a targeted Cobalt Strike backdoor, as reported by Mandiant. All KnowledgeDeliver deployments prior to February 24, 2026 are potentially at risk, and organisations are advised to rotate machine keys, restrict LMS access, and monitor for signs of intrusion.
One Researcher Is Making Microsoft's Life Very Difficult, Six Weeks Running
A security researcher known as "Nightmare Eclipse" has disclosed six Windows vulnerabilities over six weeks, including three new ones — YellowKey, GreenPlasma, and MiniPlasma — revealed shortly after Microsoft's May 2026 Patch Tuesday. These flaws target core Windows security components, enabling attacks such as BitLocker bypass, privilege escalation to SYSTEM, and exploitation of a vulnerability Microsoft believed it had patched in 2020. Microsoft has only officially patched one of the six flaws so far, and experts warn that the researcher's deliberate timing — releasing disclosures immediately after Patch Tuesday — maximises the window of exposure before the next patch cycle.