Microsoft Condemns “Uncoordinated” Zero Day Disclosures

Staff Editor 2026-05-28
Microsoft Condemns “Uncoordinated” Zero Day Disclosures

Microsoft Condemns “Uncoordinated” Zero Day Disclosures

https://www.infosecurity-magazine.com/news/microsoft-uncoordinated-zeroday/

Publish Date: 2026-05-28 08:00:00

Source Domain: www.infosecurity-magazine.com

In a new bulletin, Microsoft has criticized security researchers for publicly reporting vulnerabilities in the company’s products before patches were available and without prior notice.

These “uncoordinated disclosures put our customers at unnecessary risk,” the tech giant said.

Six Microsoft Zero Days Disclosed Before Patches

The statement, published on May 27, mentioned six vulnerabilities that “were not responsibly disclosed.” These are:

  • ‘Red Sun’ (CVE-2026-41091): a privilege escalation vulnerability in Microsoft Defender (CVSS: 7.8)
  • ‘BlueHammer’ (CVE-2026-45498): another privilege escalation vulnerability in Microsoft Defender (CVSS: 7.8)
  • ‘YellowKey’ (CVE-2026-45585): a security feature bypass vulnerability in Windows BitLocker (CVSS: 6.8)
  • ‘Undefend’ (CVE-2026-45498): a denial-of-service vulnerability in Microsoft Defender (CVSS: 4.0)
  • ‘GreenPlasma,’ a privilege escalation vulnerability in Windows BitLocker
  • ‘MiniPlasma,’ a privilege escalation vulnerability in the Windows Cloud Filter driver

Because of these uncoordinated disclosures, Microsoft security teams “have been working around the clock” to investigate these vulnerabilities and develop mitigation measures and work on security patches.

Meanwhile, the rogue disclosures allowed to “put proof-of-concept [exploit] code for unpatched vulnerabilities into the hands of bad actors,” which Microsoft said is “never justifiable.”

“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,” the company said.

Microsoft Urges Responsible Disclosures

The company encouraged security researchers to follow industry standard coordinated vulnerability disclosure (CVD) procedures, where a vulnerability finder and the owner of the vulnerable products convene an embargo period – typically 90 days – to allow the latter to develop patches before the vulnerability is…

Source

More Stories

Canada parliament passes cybersecurity bill amid privacy concerns – JURIST

Canada parliament passes cybersecurity bill amid privacy concerns – JURIST

Staff Editor 2026-06-06
Gaming soundbar can be hijacked from over 16 yards away without touch or pairing — the company allegedly refuses to label the blatant security flaw a cybersecurity risk

Gaming soundbar can be hijacked from over 16 yards away without touch or pairing — the company allegedly refuses to label the blatant security flaw a cybersecurity risk

Staff Editor 2026-06-06
White House EO Seeks Early Evaluation of Frontier AI Models

White House EO Seeks Early Evaluation of Frontier AI Models

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy