Recently Leaked Windows Zero-Days Now Being Actively Exploited: What You Need to Know

Illustration: Microsoft Defender under attack by BlueHammer, RedSun, and UnDefend

Threat actors have begun abusing three recently disclosed Windows vulnerabilities to escalate privileges and interfere with Microsoft Defender, shifting a theoretical disclosure debate into a real-world security crisis. A security researcher known as “Chaotic Eclipse” (also called “Nightmare-Eclipse”) released proof-of-concept exploit code for all three flaws earlier this month, and multiple security teams have since observed the techniques used in live intrusions. For defenders and administrators, the situation underscores how quickly disclosed exploits can be weaponized and the importance of layered protections while vendors respond.

How the exploits surfaced

The PoC code was published by the anonymous researcher as a protest over how Microsoft’s Security Response Center handled the disclosure. At the time of the leak, the targeted flaws met the industry definition of zero-days for many organizations—no official fixes were available. Huntress Labs later reported seeing evidence of all three exploit techniques used in the wild and noted that BlueHammer had been observed as early as April 10. Some incidents involved an initial compromise via a compromised SSL VPN account followed by “hands-on-keyboard” post-exploitation activity.

The three vulnerabilities explained

BlueHammer

Description: BlueHammer targets a local privilege escalation vector involving Microsoft Defender. Microsoft has assigned BlueHammer CVE-2026-33825 and issued a patch for it in the April 2026 security updates.
Observed activity: Security teams reported BlueHammer being actively exploited in attacks beginning in early April, before and around the time the patch was released.
Impact: When unpatched, BlueHammer can allow an attacker with local access to escalate privileges, potentially to SYSTEM-level.

RedSun

Description: RedSun is another local privilege escalation issue tied to Microsoft Defender behavior. The exploit leverages Defender’s handling of files with cloud tags to overwrite system files.
Technical note reported by the researcher: If Defender detects a file with a cloud tag, Defender’s remediation behavior can result in rewriting the file to its original location. The PoC abuses that rewrite behavior to replace or corrupt system files and achieve elevated privileges.
Status: As of the latest reports, RedSun remained unpatched and effective on Windows 10, Windows 11, and Windows Server 2019 and later when Defender is enabled—even for systems that had received the April Patch Tuesday updates.

UnDefend

Description: UnDefend differs from the other two in that it can be run by a standard (non-privileged) user to interfere with Microsoft Defender’s ability to update definitions.
Impact: An attacker who can block Defender definition updates can increase the window during which other malware or exploit tooling remains undetected or unmitigated.
Status: At the time of reporting, UnDefend had not been patched and was observed in the wild alongside BlueHammer and RedSun in at least one breached environment.

Real-world attacks and impact

Huntress Labs observed a case where UnDefend and RedSun were deployed on a compromised host that had been accessed via a stolen SSL VPN user account. The activity exhibited manual operator actions, suggesting intruders used these exploits as part of an interactive intrusion to obtain persistent elevated privileges and reduce detection risk. The combination of blocking Defender updates and escalating to SYSTEM can enable widespread and difficult-to-detect compromise, particularly in environments that rely primarily on Defender for endpoint protection.

Microsoft response and disclosure friction

Microsoft confirmed it tracks BlueHammer (CVE-2026-33825) and released a patch in the April updates. For the other two bugs, Microsoft noted its customer commitment to investigate reported security issues and the company’s support for coordinated vulnerability disclosure. The public release of PoC code by the researcher highlights tensions that can arise when researchers feel disclosures were not handled to their satisfaction; however, the leak also accelerated real-world exploitation, creating immediate risk for unpatched systems.

Practical steps for defenders

Apply available patches immediately: Ensure BlueHammer (CVE-2026-33825) and other relevant April 2026 updates are installed across your estate.
Monitor for indicators of hands-on-keyboard activity: Investigate anomalous interactive sessions, unusual process execution, and signs of post-authentication lateral movement—especially after VPN or remote access logins.
Harden privileged access: Enforce least privilege, use strong multi-factor authentication for remote access (including VPNs), and limit administrative access to reduce the blast radius of credential compromise.
Audit and protect Defender components: Monitor Defender update operations, modification of Defender services, and suspicious attempts to block updates or alter Defender files.
Prepare incident response plans: Because attackers have been observed chaining multiple techniques (definition-blocking plus privilege escalation), ensure IR playbooks cover rapid containment, credential resets, and system isolation.
Stay informed: Watch vendor advisories and security vendor telemetry for additional indicators of compromise and follow Microsoft guidance when patches for the remaining issues become available.

Closing thoughts

The fast transition from PoC release to active exploitation is a reminder that public disclosure—even when intended to pressure better vendor behavior—can materially increase risk for organizations. Until all three issues are patched, defenders should assume attackers will attempt to use these techniques and prioritize patching, monitoring, and access controls to limit the impact.