Three Zero-Day Exploits Actively Used in the Wild to Target Windows Systems

Threat actors are actively exploiting multiple Windows vulnerabilities to gain elevated, even SYSTEM-level privileges on affected machines. The exploits, released publicly by a researcher known as Chaotic Eclipse (also called Nightmare-Eclipse), have already appeared in real-world attacks.

The release reportedly came as a protest against Microsoft Security Response Center practices, but the impact quickly moved beyond theory into active exploitation.

Three Exploits Target Windows Defender

The campaign revolves around three vulnerabilities affecting Microsoft Defender:

• BlueHammer – Local privilege escalation flaw
• RedSun – Another privilege escalation vulnerability
• UnDefend – Disables Defender definition updates

All three initially surfaced as zero-day exploits, meaning no patches were available at disclosure.

Security researchers from Huntress Labs confirmed that attackers are already using these tools in the wild, with BlueHammer exploitation observed since April 10.

Real-World Attacks Already Confirmed

Investigations show that attackers have used these exploits in actual breaches, not just proof-of-concept scenarios. In one case, a compromised SSL VPN account allowed threat actors to gain access and escalate privileges using the newly released tools.

Analysts also observed hands-on-keyboard activity, suggesting direct human control rather than automated malware. This type of interaction often points to targeted attacks rather than broad, automated campaigns.

Patch Status Leaves Systems Exposed

Microsoft has released a fix for one of the vulnerabilities, specifically BlueHammer tracked as CVE-2026-33825. However, RedSun and UnDefend remain unpatched, leaving a significant portion of the attack surface exposed.

This partial mitigation increases risk, particularly for environments that depend heavily on Microsoft Defender as a primary security layer.

Microsoft Responds to Public Exploit Release

Microsoft confirmed that it is investigating the remaining vulnerabilities and reiterated the importance of coordinated disclosure practices. The company emphasized that releasing exploits publicly before patches are available can increase exposure for users.

Despite that, confirmed in-the-wild activity indicates that attackers have already moved quickly to take advantage of the situation.

Ongoing Risk for Windows Users

With two vulnerabilities still unpatched and active exploitation underway, the threat level remains high. Systems with compromised credentials or weak access controls face the greatest risk, especially in enterprise environments.

Users and administrators should apply available patches as soon as possible and monitor systems closely while waiting for fixes for the remaining vulnerabilities.

In other news, Microsoft is also warning users about a macOS-focused attack campaign that spreads through fake job interview offers.

Via BleepingComputer