Security researchers say threat actors are already abusing three recently disclosed Windows vulnerabilities in real-world attacks. The flaws were first exposed through public proof-of-concept code, and Huntress Labs now reports seeing active exploitation aimed at gaining SYSTEM or elevated administrator access.
Three Windows flaws moved from disclosure to active abuse
According to the report, a researcher known as “Chaotic Eclipse” or “Nightmare-Eclipse” published exploit code for all three issues earlier this month in protest over Microsoft’s handling of the disclosure process. At the time, the vulnerabilities were still considered zero-days because Microsoft had not yet released fixes for all of them.
Two of the bugs, called BlueHammer and RedSun, are Microsoft Defender local privilege escalation flaws. The third, named UnDefend, can be used by a standard user to block Microsoft Defender definition updates.
Huntress saw the exploits used in the wild
On Thursday, Huntress Labs said it observed all three exploit techniques being used in attacks. The company said BlueHammer had been exploited since April 10. Huntress also found UnDefend and RedSun on a Windows device that had already been breached through a compromised SSLVPN account, with signs of hands-on-keyboard attacker activity.
- BlueHammer was reportedly used first, starting April 10
- RedSun and UnDefend were also found in active attacks
- One targeted system had been accessed using a compromised SSLVPN user
- The activity showed evidence of manual attacker interaction
Microsoft has patched one flaw, but two remain open
Microsoft is now tracking BlueHammer as CVE-2026-33825 and included a fix in the April 2026 security updates. The other two vulnerabilities remain unpatched.
RedSun is particularly notable because it can reportedly be used on Windows 10, Windows 11, and Windows Server 2019 and later systems when Microsoft Defender is enabled, even after the April Patch Tuesday updates. The researcher said the exploit abuses Defender behavior involving files marked with a cloud tag, allowing system files to be overwritten and administrative privileges to be gained.
Why the leaks matter
The case shows how quickly public proof-of-concept code can be turned into live attack tooling when patches are not yet available for every issue. It also highlights the risks created when a defensive product such as Microsoft Defender is involved in privilege escalation or update-blocking behavior.
Microsoft said it investigates reported security issues and works to update affected devices as quickly as possible. The company also said it supports coordinated vulnerability disclosure, describing it as an industry practice that helps protect customers and support security research.
What defenders should watch for
Organizations running Windows systems should pay close attention to Defender-related anomalies, unauthorized privilege changes, and signs of post-compromise activity on endpoints and servers. Systems that have not yet received the latest security updates may be especially important to review.
In this case, three leaked Windows exploit techniques have already transitioned from disclosure to active use, with one patched and two still awaiting fixes.