Recently Leaked Windows Zero-Days Now Exploited in Attacks

The recent leak of three Windows zero‑day vulnerabilities has reignited debate over coordinated vulnerability disclosure. Researcher “Chaotic Eclipse” released proof‑of‑concept exploits for BlueHammer, RedSun and UnDefend to protest Microsoft’s handling of the disclosure process. By publishing the code publicly, the researcher forced the security community’s hand, highlighting the tension between rapid public awareness and the need for vendors to develop mitigations before attackers can weaponize flaws.

Huntress Labs’ observation of active exploitation confirms that threat actors moved quickly from code release to real‑world attacks. BlueHammer, a local privilege escalation bug, has been used since early April to elevate compromised accounts to SYSTEM. RedSun manipulates Defender’s cloud‑tag handling to overwrite system files, while UnDefend blocks definition updates, effectively disabling the antivirus. These techniques bypass traditional defenses, giving attackers persistent, high‑privilege footholds on Windows 10, 11 and Server environments, and raising alarm for organizations that rely heavily on Defender for endpoint protection.

Microsoft’s response—patching BlueHammer in the April 2026 update—demonstrates the company’s capacity to act swiftly when a vulnerability is publicly disclosed. However, the remaining unpatched flaws, RedSun and UnDefend, leave a substantial attack surface open. Enterprises should apply the latest Defender hardening guidance, consider supplemental endpoint protection, and monitor for Indicators of Compromise linked to the known exploits. The episode underscores the importance of layered security, rapid patch management, and clear communication channels between researchers and vendors to mitigate the fallout from zero‑day disclosures.