Locked in heated rivalry with researcher, Microsoft fixes 0-day they disclosed

Microsoft released fixes on June 9, 2026, for two high-severity zero-day vulnerabilities publicly disclosed by a security researcher known as Nightmare Eclipse. This patch rollout occurred amidst an ongoing and heated rivalry between the researcher and the software giant. Nightmare Eclipse has, in recent months, made public several critical vulnerabilities, frequently including proof-of-concept code, which effectively created zero-days vulnerable to immediate exploitation in the wild. The researcher asserts that these disclosures were a direct consequence of Microsoft allegedly reneging on a prior arrangement regarding other vulnerabilities they had discussed¹. This strategy by Nightmare Eclipse forces Microsoft into a more rapid patching cycle, but also exposes customers to immediate risk as details become public. The controversial tactic of sharing exploit details highlights the friction and trust breakdown in this particular researcher-vendor relationship. For cybersecurity practitioners, this zero-day activity targeting Microsoft signals that patching windows are already closing, demanding immediate assessment of exposure.