Threat actors are actively exploiting three recently disclosed **Windows** security vulnerabilities in attacks aimed at gaining SYSTEM or elevated administrator permissions. Since the start of the month, a security researcher known as "Chaotic Eclipse" or "Nightmare-Eclipse" has published proof-of-concept exploit code for all three security issues in protest to how **Microsoft's** Security Response Center (**MSRC**) handled the disclosure process. Two of the vulnerabilities (dubbed [BlueHammer](https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/) and [RedSun](https://www.bleepingcomputer.com/news/microsoft/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges/)) are **Microsoft Defender** local privilege escalation (LPE) flaws, while the third (known as [UnDefend](https://github.com/Nightmare-Eclipse/UnDefend)) can be exploited as a standard user to block **Microsoft Defender** definition updates. At the time of the leak, the security flaws these exploits targeted were considered zero-days by **Microsoft's** definition, since they had no official patches or updates to address them. On Thursday, **Huntress Labs** security researchers reported seeing all three zero-day exploits deployed in the wild, with the BlueHammer vulnerability being exploited since April 10. They also observed attacks on a **Windows** device that was breached using a compromised SSLVPN user, showing evidence of "hands-on-keyboard threat actor activity." "The **Huntress SOC** is observing the use of Nightmare-Eclipse's BlueHammer, RedSun, and UnDefend exploitation techniques," the researchers said. ## Two zero-days still waiting for a patch While **Microsoft** is now tracking the BlueHammer vulnerability as **CVE-2026-33825** and has patched it in the April 2026 security updates, the other two flaws remain unaddressed. As previously reported, attackers can use the RedSun exploit to gain SYSTEM privileges on Windows 10, Windows 11, and Windows Server 2019 and later systems when Windows Defender is enabled, even after applying the April Patch Tuesday patches. "When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to it's original location," the researcher explained. "The PoC abuses this behaviour to overwrite system files and gain administrative privileges." "Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible," a **Microsoft** spokesperson told BleepingComputer earlier this week when contacted for more information on the disclosure issues reported by the anonymous researcher. "We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."