Leaked Proof-of-Concept Exploits Now Weaponized in Real Attacks
Three Windows security vulnerabilities whose proof-of-concept exploit code was publicly released in protest earlier this month are now being actively exploited by threat actors seeking SYSTEM-level or elevated administrator privileges on targeted machines. The exploits were published by a security researcher going by the handles "Chaotic Eclipse" or "Nightmare-Eclipse", who disclosed them in response to frustrations with how Microsoft's Security Response Center (MSRC) handled the original reporting process.
The three vulnerabilities carry informal names: BlueHammer and RedSun, both local privilege escalation (LPE) flaws affecting Microsoft Defender, and UnDefend, which can be leveraged by a standard user account to prevent Microsoft Defender from receiving definition updates. At the time the exploits were leaked, none of the three issues had official patches or mitigations from Microsoft, qualifying them as zero-days under the company's own definitions.
Huntress Labs Confirms In-the-Wild Exploitation
On Thursday, researchers at Huntress Labs publicly reported observing all three zero-day exploits deployed in active attacks. According to their findings, the BlueHammer vulnerability has been exploited in the wild since at least April 10. Separately, Huntress researchers identified the UnDefend and RedSun exploits running together on a Windows device that had been compromised through a breached SSLVPN user account.
The Huntress team described evidence of direct, manual attacker involvement in those intrusions, noting signs of "hands-on-keyboard threat actor activity."
"The Huntress SOC is observing the use of Nightmare-Eclipse's BlueHammer, RedSun, and UnDefend exploitation techniques."
The combination of a disabled or hampered Defender update mechanism alongside privilege escalation techniques suggests attackers are chaining these vulnerabilities in a deliberate and coordinated manner to maximize impact while avoiding detection.
BlueHammer Patched, RedSun and UnDefend Remain Open
Microsoft has since assigned the BlueHammer vulnerability the identifier CVE-2026-33825 and addressed it as part of the April 2026 Patch Tuesday security updates. However, both RedSun and UnDefend remain unpatched as of the time of this reporting, leaving users of affected Windows versions exposed to ongoing exploitation.
As BleepingComputer previously noted, the RedSun exploit is capable of granting SYSTEM privileges across Windows 10, Windows 11, and Windows Server 2019 and later versions, even on systems that have fully applied the April Patch Tuesday updates. The vulnerability exists in the behavior of Windows Defender when it detects a malicious file tagged as such by cloud-based analysis.
The anonymous researcher provided a detailed explanation of the RedSun flaw's mechanics:
"When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to its original location. The PoC abuses this behaviour to overwrite system files and gain administrative privileges."
How the Vulnerabilities Work
BlueHammer (CVE-2026-33825)
BlueHammer is a local privilege escalation vulnerability in Microsoft Defender. It was the first of the three to be confirmed as exploited in the wild, with active attacks observed from April 10 onward. Microsoft has now issued a patch through its April 2026 cumulative security update cycle.
RedSun
RedSun is another LPE flaw in Microsoft Defender that abuses the antivirus engine's cloud-tagging behavior to overwrite system files. Because exploitation is possible even after applying the most recent Patch Tuesday updates, Windows 10, Windows 11, and Windows Server 2019 and later systems remain at risk until Microsoft issues a dedicated fix.
UnDefend
Unlike the other two flaws, UnDefend does not directly grant elevated privileges. Instead, it allows a standard, unprivileged user to block Microsoft Defender from receiving definition updates entirely, effectively blinding the antivirus engine to new malware signatures. This makes it a powerful enabler when used alongside other exploitation techniques, as observed in the Huntress incident where it appeared alongside RedSun.
Microsoft's Response and Coordinated Disclosure Debate
When contacted by BleepingComputer earlier this week regarding the researcher's claims about MSRC's handling of the disclosures, a Microsoft spokesperson issued the following statement:
"Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible. We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."
The statement did not directly address the specific grievances raised by Nightmare-Eclipse, who released the proof-of-concept code publicly in protest rather than following a traditional coordinated disclosure timeline. The incident highlights an ongoing tension between security researchers and vendors when disclosure timelines are perceived as being ignored or mishandled.
Implications for Defenders
With two of the three vulnerabilities still awaiting patches and active exploitation confirmed across all three, organizations relying on Microsoft Defender as a primary endpoint defense face a particularly difficult situation. The ability of attackers to both disable Defender updates and escalate to SYSTEM privileges using publicly available exploit code represents a significant compounding risk.
- Apply the April 2026 Patch Tuesday updates immediately to address CVE-2026-33825 (BlueHammer).
- Monitor for signs of Defender definition update failures, which may indicate UnDefend exploitation attempts.
- Audit SSLVPN user accounts for signs of compromise, as at least one confirmed attack vector involved a breached SSLVPN credential.
- Review endpoint detection logs for anomalous privilege escalation behavior consistent with RedSun techniques.
Huntress Labs' Managed Security Operations Center (SOC) continues to monitor for further exploitation activity. No timeline has been provided by Microsoft for when patches addressing RedSun and UnDefend will be released.
Source: BleepingComputer