What are CVE-2026-45586 and CVE-2020-17103?

They are two high-severity zero-days disclosed by Nightmare Eclipse, a researcher who has been in dispute with Microsoft.

Why did Nightmare Eclipse disclose the vulnerabilities publicly?

Nightmare Eclipse claimed that they had to do so due to Microsoft's alleged mistreatment during a vulnerability disclosure program.

What action has Microsoft taken regarding these vulnerabilities?

Microsoft has released patches for the two zero-days.

By Nico D · Published June 9, 2026

Microsoft Releases Patches for Nightmare Eclipse's Zero-Days

Microsoft responds to public disclosure of high-severity Windows zero-days by researcher Nightmare Eclipse, claiming mistreatment.

Microsoft has released patches for two high-severity zero-days disclosed by a researcher who has been locked in a testy beef with the software giant. The vulnerabilities, tracked as CVE-2026-45586 and CVE-2020-17103, were part of a series of six Windows zero-days publicly disclosed by Nightmare Eclipse, a pseudonym used by the researcher.

What Happened

The saga between Microsoft and Nightmare Eclipse began when the researcher released proof-of-concept code for several high-severity vulnerabilities in recent months. The disclosures included RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. According to sources, Nightmare Eclipse had been working with Microsoft on a vulnerability disclosure program but claimed that the company reneged on an agreement regarding the vulnerabilities they had discussed.

Microsoft responded by criticizing Nightmare Eclipse for publicly disclosing the bugs without attempting to report them first. The company argued that this could have aided malicious hackers and put its customers at risk. However, Nightmare Eclipse maintained that they had no choice but to release the vulnerabilities publicly due to Microsoft's alleged mistreatment of them.

Background and Context

Nightmare Eclipse has been a thorn in Microsoft's side for some time, releasing several Windows zero-days in protest of the company's handling of vulnerability reports. The researcher has claimed that they have been working with Microsoft on a vulnerability disclosure program but felt mistreated by the company.

Microsoft's Digital Crimes Unit has stated that it will continue to bring cases against actors who exploit vulnerabilities and those that enable their criminal activity, coordinating as needed with law enforcement around the world. However, Nightmare Eclipse has threatened to release more zero-days if Microsoft does not change its approach to vulnerability disclosure.

Why It Matters to the Industry

The dispute between Microsoft and Nightmare Eclipse highlights the complex issues surrounding vulnerability disclosure in the tech industry. The debate centers on whether researchers have a responsibility to disclose vulnerabilities to companies before releasing them publicly, potentially allowing malicious hackers to exploit them first.

This issue is particularly relevant to the adult-industry trade audience, where cybersecurity and vulnerability management are critical components of platform operations. Adult-industry platforms must balance the need for security with the risk of being targeted by malicious actors who exploit vulnerabilities in software and systems.

What Comes Next

The release of patches for CVE-2026-45586 and CVE-2020-17103 is a significant development in this ongoing saga. However, it remains to be seen whether Nightmare Eclipse will follow through on their threat to release more zero-days if Microsoft does not change its approach to vulnerability disclosure.

Key Facts

Mircosoft has released patches for two high-severity zero-days disclosed by Nightmare Eclipse: CVE-2026-45586 and CVE-2020-17103.
The vulnerabilities were part of a series of six Windows zero-days publicly disclosed by Nightmare Eclipse in recent months.
Nightmare Eclipse has claimed that they had been working with Microsoft on a vulnerability disclosure program but felt mistreated by the company.
Microsoft has criticized Nightmare Eclipse for publicly disclosing the bugs without attempting to report them first.
The dispute highlights the complex issues surrounding vulnerability disclosure in the tech industry.

The outcome of this dispute will have significant implications for the adult-industry trade audience, where cybersecurity and vulnerability management are critical components of platform operations. As the situation continues to unfold, it remains to be seen whether Microsoft will change its approach to vulnerability disclosure or whether Nightmare Eclipse will follow through on their threat to release more zero-days.

8,971 page views

Originally surfaced from this brief. Approximately 567 words.

Mentioned: Nightmare Eclipse Microsoft

▲ 24▼ 5

Discussion 10

CO
ComplianceCarolage-verification & compliance3d ago
Microsoft releasing patches for these zero-days is a good start, but it's also essential to ensure that adult industry companies are using robust age-verification and compliance measures to protect themselves from potential attacks.
AG
AgencyNovaperformer agency manager3d ago
This is great news for our talent and their brands - we can finally move forward with confidence after Nightmare Eclipse's public disclosure put everyone on high alert. Now, let's get back to building strong business partnerships!
CO
CoachCleoperformer-turned-coach3d ago
I'm so relieved that Microsoft is taking steps to address these vulnerabilities! As creators, we're already overwhelmed with tech-related stress - now we can focus on making great content without worrying about cyber threats.
ST
StudioMaxxcam studio owner3d ago
About time Microsoft released those patches. Now let's get real, how much is this gonna cost us? Can't have our cam girls and guys shut down over some technical issues - gotta keep the money flowing.
TE
TeleHapticTomsextech hardware maker3d ago
This is an amazing opportunity for us to showcase the innovative, security-focused aspects of sextech! We've been working on some top-notch protective measures, and this just gives us more reason to push forward with our connected device vision.
OL
OldSchoolWebveteran webmaster3d ago
I remember when we used to patch every hole ourselves, without some researcher making headlines with it. Guess that's progress, I suppose.
AF
AffiliateAceaffiliate marketer3d ago
Let's not forget the real story here: Nightmare Eclipse exposed these zero-days. Can we get a statement from Microsoft about how they're going to prevent similar situations in the future? Transparency is key for us affiliates and our advertisers.
ME
MetricMiraanalytics lead3d ago
What are the numbers on the zero-day exploitation rates before and after these patches? That's what matters here, not who did or didn't patch first.
LI
LivvyCamsindependent cam model3d ago
Omg, thank goodness Microsoft finally patched those Windows zero-days! Nightmare Eclipse's public disclosure put a lot of us in a tough spot. Hope it doesn't happen again 🙏
TU
TubeBaronDmitricontent network operator3d ago
Microsoft's patching isn't just good for the industry, it'll help me prevent some costly downtime on my sites. Well done Nightmare Eclipse for pushing them to act