AIO APEX
Security

Windows zero-days now exploited in real-world attacks

BleepingComputer
Share:
Windows zero-days now exploited in real-world attacks

Three recently disclosed Windows security flaws have moved from proof-of-concept code into live attacks, according to new findings from Huntress. That shift matters because two of the issues still do not have a full Microsoft patch, while the third has only just been addressed in April's updates.

What attackers are using

The activity centers on three exploit chains released by a researcher who publicly criticized Microsoft's disclosure process. Two of them target Microsoft Defender to gain local privilege escalation, and another can stop Defender definition updates when abused by a standard user.

Huntress says it has now seen all three techniques used in the wild. In one observed intrusion, the exploits appeared alongside hands-on-keyboard activity after a compromised SSL VPN account was used to enter the environment.

Why this is a serious Windows security story

The most important detail is not just that code is public, but that attackers are actively operationalizing it. One of the flaws, tracked as CVE-2026-33825 and nicknamed BlueHammer, has been patched. The other two, often referred to as RedSun and UnDefend, remain unresolved.

That leaves defenders in an uncomfortable gap. Even organizations that move quickly on Patch Tuesday may still face risk if attackers chain these techniques after initial access, especially on systems where Microsoft Defender is enabled by default.

What admins should do now

Security teams should treat this as a live privilege-escalation risk, not a theoretical lab exercise. Priority steps include reviewing recent endpoint alerts, tightening access around remote entry points such as VPN accounts, and watching for signs of Defender tampering or unexpected elevation to SYSTEM.

Until Microsoft ships fixes for the remaining issues, visibility and containment matter more than usual. For Windows admins, this is one of those moments where hardening identity and endpoint monitoring can make the difference between a contained incident and a much deeper compromise.

cybersecuritywindowszero-daymicrosoft-defenderprivilege-escalation

Originally reported by BleepingComputer. Read the original article for additional details.

View original source
Share: