Attackers Are Using Unpatched Windows Vulnerabilities
Hackers have breached at least one organization by exploiting Windows vulnerabilities that were published online over the past two weeks, according to a cybersecurity firm.
Huntress said its researchers observed attackers taking advantage of three Windows security flaws known as BlueHammer, UnDefend, and RedSun. It is not clear who was targeted in the attack or who carried it out.
Among the three flaws, BlueHammer is the only one Microsoft has patched so far. A fix for BlueHammer was released earlier this week.
Published Exploit Code Appears to Be Driving the Attacks
The activity appears to rely on exploit code published online by a security researcher.
Earlier this month, a researcher using the name Chaotic Eclipse posted what they said was code to exploit an unpatched Windows vulnerability. The researcher suggested that conflict with Microsoft was behind the decision to release the code publicly.
Days later, Chaotic Eclipse published UnDefend, and then earlier this week published RedSun. The researcher also posted code to exploit all three vulnerabilities on their GitHub page.
How BlueHammer, UnDefend, and RedSun Affect Windows Defender
All three vulnerabilities affect Windows Defender, Microsoft’s antivirus software.
According to the reporting, the flaws can allow a hacker to gain high-level or administrator access on a vulnerable Windows computer. That level of access can make these bugs especially dangerous when exploit code is already available for others to use.
Why Full Disclosure Can Escalate Security Risk
Microsoft said it supports coordinated vulnerability disclosure, an industry practice designed to give companies time to investigate and fix security problems before technical details are made public.
Under that model, a researcher reports a flaw to the software maker, the issue is reviewed, and if it is legitimate, work begins on a patch. In many cases, both sides agree on a timeline for when the researcher can later disclose the vulnerability publicly.
This case reflects what the cybersecurity industry calls full disclosure. That happens when vulnerability details are released publicly before a fix is broadly available. In some situations, researchers go further and publish proof-of-concept code that can demonstrate how the flaw works.
Once exploit code is public, cybercriminals, government hackers, and others can take that code and adapt it for real attacks. That forces defenders to respond quickly.
Security Defenders Are Now in a Race Against Attackers
John Hammond, a Huntress researcher tracking the case, described the situation as a renewed struggle between defenders and cybercriminals.
He said the public availability of these exploits, combined with the fact that they have already been weaponized for easy use, creates another tug-of-war between attackers and defenders. He also said scenarios like this force defenders into a rapid response as malicious actors move quickly to abuse ready-made tooling.
That pressure becomes even more serious when the exploit code is simple to access and already prepared for offensive use.
Microsoft’s Position on the Vulnerability Disclosure Process
In response to questions, Microsoft said it supports coordinated disclosure because it helps ensure issues are carefully investigated and addressed before public disclosure. The company said this approach supports both customer protection and the broader security research community.
That response highlights the gap between the coordinated process Microsoft endorses and the public release path taken in this case.
What Is Known and What Remains Unclear
What is confirmed
Huntress said attackers are exploiting BlueHammer, UnDefend, and RedSun.
At least one organization has been compromised using these Windows vulnerabilities.
BlueHammer has been patched by Microsoft.
All three flaws affect Windows Defender and can provide high-level or administrator access to an affected system.
What remains unknown
It is unclear who the attackers are.
It is unclear which organization was targeted.
It is also unclear beyond the public reporting how broadly these exploits are being used.