Threat actors are actively exploiting three recently disclosed Windows vulnerabilities—BlueHammer, RedSun, and UnDefend—to gain SYSTEM or elevated administrator permissions. Proof-of-concept exploit code was leaked by researcher “Chaotic Eclipse” (aka “Nightmare-Eclipse”) and Huntress Labs has observed all three zero-days in the wild, with BlueHammer patched as CVE-2026-33825 while RedSun and UnDefend remain unpatched. #BlueHammer #RedSun
Keypoints
- Three Windows vulnerabilities (BlueHammer, RedSun, UnDefend) are being exploited to achieve SYSTEM or elevated admin privileges.
- Proof-of-concept exploit code was published by “Chaotic Eclipse”/”Nightmare-Eclipse” in protest of Microsoft’s disclosure handling.
- Huntress Labs detected all three exploits in live attacks, including breaches that began with a compromised SSLVPN user and hands-on-keyboard activity.
- Microsoft patched BlueHammer as CVE-2026-33825 in April 2026, but RedSun and UnDefend remain unpatched zero-days.
- RedSun and UnDefend abuse Microsoft Defender behaviors to overwrite system files or block definition updates to escalate privileges.