Recently Leaked Windows Zero-Days Actively Exploited: An Analysis of CVE-2026-33825 and Unpatched Threats

Introduction

Three Windows security vulnerabilities, recently disclosed publicly, are undergoing active exploitation. These vulnerabilities, CVE-2026-33825 (BlueHammer), RedSun, and UnDefend, are local privilege escalation (LPE) flaws or mechanisms that impair system defenses. Threat actors use these weaknesses to gain elevated SYSTEM or administrator permissions on affected systems.

The public disclosure of proof-of-concept (PoC) exploit code for these issues stemmed from a security researcher's protest regarding Microsoft's Security Response Center (MSRC) disclosure handling. This situation shows the need for proactive cyber threat intelligence platform capabilities to track newly emerging threats, especially when official patches are delayed. At the time of their leak, these security flaws met Microsoft's criteria for zero-day vulnerabilities, meaning no official patches or updates were available to address them.

The immediate exploitation of these vulnerabilities shows the speed at which threat actors weaponize newly revealed flaws. Organizations face a persistent challenge in detecting and mitigating such threats before widespread impact occurs. Effective breach detection mechanisms are important for identifying early stages of exploitation.

What is CVE-2026-33825 and why is it critical?

CVE-2026-33825, known as BlueHammer, is a local privilege escalation (LPE) vulnerability affecting Microsoft Windows. It is critical because it allows an attacker, who already has a foothold on a system, to elevate their privileges to SYSTEM. This level of access grants complete control over the compromised machine, enabling further malicious activities like data exfiltration, lateral movement, or the deployment of additional malware, including ransomware.

The vulnerability was among three security issues for which a researcher, known as "Chaotic Eclipse" or "Nightmare-Eclipse," published proof-of-concept exploit code. At the time of its initial disclosure and active exploitation, CVE-2026-33825 was considered a zero-day. While a CVSS score was not provided in the original reporting, the nature of a local privilege escalation leading to SYSTEM privileges generally indicates a high severity rating.

CVE-2026-33825 has since received an official patch from Microsoft.

What other unpatched zero-days are being exploited alongside CVE-2026-33825?

Beyond CVE-2026-33825, threat actors are actively exploiting two other Windows zero-days: RedSun and UnDefend. Both vulnerabilities primarily target Microsoft Defender, a core component of Windows security. Unlike BlueHammer, RedSun and UnDefend remained unaddressed by Microsoft's April 2026 security updates at the time of reporting, leaving systems vulnerable.

RedSun is a Microsoft Defender LPE flaw that allows attackers to gain SYSTEM privileges on a compromised system. UnDefend can be exploited by a standard user to block Microsoft Defender definition updates, effectively impairing the antivirus's ability to protect the system against new threats. The public availability of PoC exploits for these vulnerabilities, particularly through underground forum intelligence and researcher channels, has accelerated their weaponization.

Vulnerability Details

  • Vulnerability Names:
  • BlueHammer (CVE-2026-33825)
  • RedSun (unpatched)
  • UnDefend (unpatched)
  • Type:
  • BlueHammer: Local Privilege Escalation (LPE)
  • RedSun: Microsoft Defender Local Privilege Escalation (LPE)
  • UnDefend: Microsoft Defender Definition Update Disruption
  • Affected Products (RedSun):
  • Windows 10
  • Windows 11
  • Windows Server 2019 and later systems, where Windows Defender is enabled.
  • Attack Vector (RedSun): The exploit abuses a behavior within Windows Defender. When Defender identifies a malicious file with a cloud tag, it attempts to rewrite the file back to its original location. The PoC exploits this mechanism to overwrite system files, leading to administrative privilege escalation. This mechanism demonstrates a subtle yet important flaw in how an intended security feature can be subverted.
  • Researcher: "Chaotic Eclipse" / "Nightmare-Eclipse." The researcher published the PoC code in protest of Microsoft's disclosure practices. This situation shows the complexities and differing perspectives within coordinated vulnerability disclosure (CVD) processes, where researchers and vendors may disagree on timelines or public release strategies. The rapid availability of PoC code emphasizes the need for dark web monitoring service and telegram threat monitoring to track exploit availability immediately.

Exploitation and Impact

Huntress Labs security researchers confirmed observing all three zero-day exploits deployed in the wild. The BlueHammer vulnerability (CVE-2026-33825) was first seen exploited as early as April 10. Subsequent observations included UnDefend and RedSun exploits on a Windows device that had been compromised through a supply-chain risk monitoring related failure, specifically, a compromised SSLVPN user. This indicates "hands-on-keyboard" threat actor activity, a critical indicator of sophisticated, targeted attacks rather than automated widespread scans.

The impact of these exploits is significant. A local privilege escalation, such as those provided by BlueHammer and RedSun, allows an attacker to transform limited access into full system control. This complete control is a prerequisite for many advanced attack phases, including:

  • Data Exfiltration: Accessing and stealing sensitive information stored on the system.
  • Persistence: Installing backdoors or other mechanisms to maintain access even after reboots or security remediations.
  • Lateral Movement: Using the compromised system as a pivot point to access other systems within the network. This often precedes widespread network compromise, potentially leading to real-time ransomware intelligence scenarios where initial access is escalated to deploy encryption.
  • Malware Deployment: Installing additional malicious software, including live ransomware API linked variants, keyloggers, or cryptominers.

The exploitation of UnDefend, which disables Microsoft Defender definition updates, creates an immediate window of vulnerability. Even if other security controls are in place, a compromised endpoint's inability to receive the latest threat intelligence leaves it exposed to new and previously known malware. This type of defense evasion allows subsequent attack stages to proceed with reduced risk of detection, showing the importance of strong breach detection capabilities that do not rely solely on endpoint protection.

Microsoft's statement regarding customer commitment to investigate security issues and update impacted devices, while supporting coordinated vulnerability disclosure, reflects ongoing industry challenges. The speed at which threat actors weaponize vulnerabilities upon public disclosure often outpaces patch development and deployment cycles. This discrepancy requires strong threat intelligence gathering, where platforms like PurpleOps continuously scan underground forum intelligence and dark web monitoring service for emerging threats.

Mitigation and Patches

For CVE-2026-33825 (BlueHammer), Microsoft has released a patch as part of its April 2026 security updates. Organizations should apply this update immediately to protect against active exploitation.

The other two zero-days, RedSun and UnDefend, remained unpatched at the time of the original reporting. This situation presents a significant risk, requiring organizations to implement interim mitigation strategies.

  • Patching Schedule:
  • CVE-2026-33825 (BlueHammer): Patched in April 2026 security updates. Apply promptly.
  • RedSun & UnDefend: No official patch available at the time of reporting. Monitoring official Microsoft channels for updates is important.
  • Interim Mitigation Strategies for Unpatched Vulnerabilities:
  • Restrict User Privileges: Implement the principle of least privilege across all user accounts. Even though these are LPEs, limiting initial access can reduce the overall attack surface and potential impact.
  • Enhanced Endpoint Detection and Response (EDR): Deploy and configure EDR solutions to detect anomalous behavior indicative of privilege escalation attempts. This includes monitoring for unexpected process creation, modifications to system files, and unusual access patterns.
  • Network Segmentation: Isolate critical assets and segment networks to contain potential breaches. If an LPE occurs on an endpoint, effective segmentation can prevent lateral movement to high-value targets.
  • Regular Security Audits: Conduct frequent security audits and penetration testing to identify and address weaknesses that could be exploited as an initial access vector for LPE attacks.
  • VPN Security Best Practices: Given that exploitation was observed via a compromised SSLVPN user, reinforce VPN security with multi-factor authentication (MFA), strong password policies, and continuous monitoring for suspicious login attempts.
  • Proactive Threat Hunting: Use cyber threat intelligence platform solutions to proactively hunt for indicators of compromise (IOCs) related to these specific exploits. This includes searching for known file hashes, network communication patterns, or process behaviors associated with BlueHammer, RedSun, and UnDefend.
  • Application Control/Whitelisting: Implement application control to prevent unauthorized executables from running, which can hinder the execution of exploit PoCs.
  • System Hardening: Apply general system hardening best practices to reduce the overall attack surface and make exploitation more difficult.
  • Monitoring Dark Web and Telegram Channels: Use dark web monitoring service and telegram threat monitoring to stay informed about new exploit developments, discussions, and potential indicators of compromise for these unpatched vulnerabilities. PurpleOps provides such intelligence, ensuring early awareness.

Technical Takeaways

  • CVE-2026-33825 (BlueHammer) is a patched Windows LPE flaw actively exploited.
  • RedSun and UnDefend are additional Windows zero-days, unpatched at the time of reporting, also undergoing active exploitation.
  • RedSun grants SYSTEM privileges by exploiting a flaw in Windows Defender's file rewriting logic on Windows 10, 11, and Server 2019+.
  • UnDefend allows standard users to block Microsoft Defender definition updates, effectively disabling critical security functions.
  • Initial access for observed exploitation included compromised SSLVPN users, indicating "hands-on-keyboard" threat actor activity.
  • The rapid weaponization of these publicly disclosed vulnerabilities shows the gap between public disclosure and patch availability.