Microsoft Patches Actively Exploited Defender Zero-Days After 'Nightmare-Eclipse' Dumps Windows Exploits; Researcher Accounts Wiped
On May 20, 2026, Microsoft released patches for two actively exploited Microsoft Defender zero-days: CVE-2026-41091 ('RedSun'), a privilege-escalation flaw in the Malware Protection Engine (1.1.26030.3008 and earlier) ab.
VERDICT — CONFIRMED

On May 20, 2026, Microsoft released patches for two actively exploited Microsoft Defender zero-days: CVE-2026-41091 ('RedSun'), a privilege-escalation flaw in the Malware Protection Engine (1.1.26030.3008 and earlier) abusing improper link resolution to obtain SYSTEM-level access, and CVE-2026-45498 ('UnDefend'), a denial-of-service issue in the Antimalware Platform (4.18.26030.3011 and earlier) that lets standard users block Defender definition updates or crash the service. Fixes shipped as Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. CISA added both to its KEV catalog on May 20, 2026, ordering federal agencies to patch by June 3 under BOD 22-01.
The flaws were among a series publicly disclosed by an independent researcher using the alias 'Nightmare-Eclipse' (also rendered 'Chaotic Eclipse'), who released proof-of-concept exploits for six Windows zero-days—BlueHammer (CVE-2026-33825), RedSun, UnDefend, YellowKey (CVE-2026-45585), GreenPlasma and MiniPlasma—citing Microsoft's prior mishandling of reports. GitHub removed the researcher's account, and a subsequent GitLab account was also blocked. On May 28, Microsoft issued a statement condemning uncoordinated disclosure, arguing that posting PoC code for unpatched flaws 'can have real-world consequences,' and reaffirming Coordinated Vulnerability Disclosure.
Rescana reported that Huntress confirmed real-world intrusions on May 29 leveraging these flaws, with initial access via compromised FortiGate VPN credentials and deployment of a Go-based tunneling tool ('BeigeBurrow'). Security researchers broadly criticized Microsoft's account takedowns and reported legal threats, warning they could deter vulnerability research.
