Three Windows zero-days leaked by a disgruntled researcher are now being actively exploited by threat actors to gain SYSTEM privileges and disable Microsoft Defender.
Threat actors are actively exploiting three recently leaked Windows zero-day vulnerabilities to gain elevated system privileges and disable Microsoft Defender antivirus, according to security researchers at Huntress Labs.
From Proof-of-Concept to Active Exploitation
The vulnerabilities, dubbed BlueHammer, RedSun, and UnDefend, were publicly disclosed earlier this month by a security researcher known as "Chaotic Eclipse" or "Nightmare-Eclipse" in protest of Microsoft's handling of the vulnerability disclosure process. At the time of disclosure, these were considered true zero-days as they had no official patches available.
Huntress Labs researchers reported on Thursday that they are now observing all three exploits being used in real-world attacks. The BlueHammer vulnerability has been actively exploited since April 10, while the other two were spotted on a compromised Windows device that was breached using a compromised SSLVPN account.
"The Huntress SOC is observing the use of Nightmare-Eclipse's BlueHammer, RedSun, and UnDefend exploitation techniques," the researchers stated, noting evidence of "hands-on-keyboard threat actor activity" in these attacks.
Technical Details of the Exploits
The BlueHammer vulnerability is a local privilege escalation flaw in Microsoft Defender that allows attackers to gain SYSTEM-level privileges. Microsoft has since assigned it CVE-2026-33825 and patched it in the April 2026 security updates.
RedSun, another Microsoft Defender LPE vulnerability, affects Windows 10, Windows 11, and Windows Server 2019 and later systems. The researcher explained that the exploit takes advantage of Defender's behavior when handling files with cloud tags: "When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to its original location."
This behavior can be abused to overwrite system files and gain administrative privileges, even on systems that have applied the April Patch Tuesday updates.
UnDefend is a different type of vulnerability that allows standard users to block Microsoft Defender definition updates, effectively disabling the antivirus protection without requiring elevated privileges.
Microsoft's Response and Ongoing Risks
Microsoft has patched only one of the three vulnerabilities so far. The company stated: "Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible. We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."
However, the researcher who disclosed these vulnerabilities did so after becoming frustrated with Microsoft's Security Response Center (MSRC) handling of the disclosure process. The researcher published proof-of-concept exploit code for all three vulnerabilities starting at the beginning of April.
With two of the three vulnerabilities still unpatched and actively being exploited in the wild, organizations running Windows systems should take immediate action to protect their environments. This includes monitoring for signs of exploitation, implementing additional security controls, and preparing for patch deployment once Microsoft releases fixes for the remaining vulnerabilities.
The situation highlights the ongoing tension between security researchers and software vendors regarding vulnerability disclosure timelines, especially when critical security flaws are discovered and not addressed promptly.
Comments
Please log in or register to join the discussion