Windows vulnerabilities exploited after public release of Defender exploit code
A security researcher published exploit code that has led to active exploitation of Windows vulnerabilities, according to Huntress, raising urgent patching concerns for organizations using Windows Defender.
Huntress Detects Exploitation of Windows Vulnerabilities
Huntress, a cybersecurity firm, reported this week that attackers have begun exploiting three Windows vulnerabilities disclosed publicly in recent weeks. The firm said it observed active use of exploit code against at least one organization and identified the flaws by their community names: BlueHammer, UnDefend, and RedSun. BlueHammer is tracked as CVE-2026-33825 and has been patched by Microsoft, while the other two remain unpatched and are under active scrutiny.
Researcher Published Exploit Code
A security researcher operating under the handle Chaotic Eclipse published what they described as proof-of-concept exploit code on a personal blog and GitHub repository. The posts included demonstrative code for all three vulnerabilities and were accompanied by commentary indicating the disclosures were intentional and retaliatory in tone. The public availability of working exploit code appears to have accelerated weaponization by criminal and state-aligned actors, according to investigators.
Windows Defender Flaws Allow Elevated Access
All three vulnerabilities target Windows Defender, the Microsoft-built antivirus and endpoint protection component, and enable attackers to escalate privileges on affected machines. Successful exploitation can grant high-level or administrative access, allowing intruders to disable security controls, deploy further malware, or move laterally within networks. Security teams treating Windows Defender as a first line of defense now face the added challenge that the defensive product itself can be leveraged to undermine host security.
Microsoft Statement and Patch Status
Microsoft’s communications director, Ben Hope, said the company supports coordinated vulnerability disclosure and emphasized the value of working with researchers to investigate and remediate issues before public release. The company has issued a patch for BlueHammer earlier this week, but at the time of Huntress’s advisory the UnDefend and RedSun issues remained without vendor fixes. Organizations are advised to apply available updates immediately and to monitor vendor guidance for emergency patches or workarounds.
Threat Actors Rapidly Embrace Ready-Made Tooling
Security experts warn that once exploit code appears publicly, attackers of all types can quickly incorporate it into malware toolkits and automated attack frameworks. John Hammond, a Huntress researcher tracking the activity, described the situation as a race between defenders and adversaries now that exploit tooling is widely accessible. The ready-made nature of the published code reduces the technical barrier for exploitation and shortens the window defenders have to detect and block attacks.
Attribution and Targets Remain Unclear
Investigators have not publicly identified the specific attackers or confirmed the identity of the organization(s) that were breached using the disclosed code. Huntress said it observed exploitation but did not attribute the activity to a particular criminal group or nation-state. The absence of clear attribution complicates incident response and may slow coordinated efforts to contain any broad campaign leveraging the disclosed vulnerabilities.
Recommendations for Organizations and Administrators
Security teams should prioritize patching for the known CVE and apply any mitigations provided by vendors for the remaining issues as soon as they are available. Network defenders should review endpoint detection rules, enable enhanced logging for Windows Defender components, and perform targeted hunts for indicators tied to the exploit code now circulating. Where patching is delayed, organizations can consider compensating controls such as restricting administrative privileges, isolating critical systems, and tightening egress filtering to limit attacker movement.
The public release of exploit code that affects core Windows Defender components has already produced at least one confirmed exploitation and underscores the risks associated with full public disclosure without an agreed remediation timeline. Organizations should treat this activity as an urgent operational issue, apply available updates, and maintain heightened detection and response posture while vendors and researchers work to resolve the remaining vulnerabilities.
