Hackers have already managed to break into at least one organization by exploiting newly exposed Windows vulnerabilities that were published online by a frustrated security researcher, according to findings from cybersecurity firm Huntress.
The activity has been unfolding over the past couple of weeks, raising concerns across the security community.
Huntress revealed in a series of posts on X that attackers are actively using three separate Windows flaws, now known as BlueHammer, UnDefend, and RedSun. While the exact target remains unclear and the identities of the hackers are still unknown, the situation highlights how quickly publicly shared exploit code can turn into real-world attacks.
Out of the three vulnerabilities, only BlueHammer has received a patch from Microsoft so far. The company released a fix for it earlier this week, but the other two flaws remain unpatched at the time of reporting, leaving systems potentially exposed.
The attacks appear to rely heavily on exploit code that was openly published by a researcher using the name Chaotic Eclipse. Earlier this month, the researcher shared code on their blog claiming it could take advantage of an unpatched Windows vulnerability. The post hinted at frustration with Microsoft, suggesting a breakdown in communication between the researcher and the company.
The researcher made their stance clear, writing that they were not bluffing Microsoft and would continue releasing such material. They even thanked Microsoft’s Security Response Center leadership in a tone that suggested dissatisfaction with how the issue had been handled.
Not long after the initial disclosure, Chaotic Eclipse released additional exploit code for UnDefend and RedSun, uploading all three to GitHub. Each of these vulnerabilities affects Windows Defender, Microsoft’s built-in antivirus system, and can allow attackers to gain elevated or even full administrative access to targeted machines.
Attempts to contact the researcher were unsuccessful. Meanwhile, Microsoft responded by emphasizing its support for coordinated vulnerability disclosure, a process where researchers privately report flaws so companies can investigate and fix them before details are made public.
What’s happening here is a classic example of what the cybersecurity world calls full disclosure. Normally, researchers and companies agree on a timeline that balances transparency with user safety. But when that coordination fails, vulnerabilities can be exposed publicly before fixes are ready, sometimes alongside proof-of-concept code that demonstrates how to exploit them.
That is exactly what seems to have happened in this case. Once such code is out in the open, it does not take long for malicious actors to adapt it into usable attack tools. Security teams are then forced into a reactive position, scrambling to defend systems while attackers move quickly to exploit the gaps.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
John Hammond from Huntress described the situation as a familiar but dangerous race. With ready-made exploit tools now circulating, defenders are pushed into a constant struggle to keep up with attackers who can rapidly deploy these vulnerabilities in real environments.
