Hackers Exploit Unpatched Windows Vulnerabilities After Security Researcher Publishes Exploit Code

Cybersecurity firm Huntress has confirmed that hackers are actively exploiting three Windows security flaws after a disgruntled researcher released exploit code online. The attacks have already breached at least one organization, according to the company’s findings shared on X.

The vulnerabilities, named BlueHammer, UnDefend, and RedSun, all target Microsoft’s Windows Defender antivirus software. Each flaw allows attackers to gain administrator-level access to affected Windows systems, posing a serious risk to enterprises and individuals alike.

What Are the Three Windows Security Flaws?

Of the three bugs, only BlueHammer has received a patch from Microsoft, which was rolled out earlier this week. The other two—UnDefend and RedSun—remain unpatched, leaving systems exposed.

The exploit code for all three vulnerabilities was published by a researcher known as Chaotic Eclipse. The researcher first posted code for an unpatched Windows flaw on their blog, citing a conflict with Microsoft’s Security Response Center (MSRC) as motivation. “I was not bluffing Microsoft and I’m doing it again,” they wrote, adding sarcastic thanks to MSRC leadership.

How Are Hackers Using These Exploits?

Huntress researchers observed that attackers are leveraging the published proof-of-concept code to launch attacks. John Hammond, a Huntress researcher tracking the case, told TechCrunch that the ready-made nature of the exploits accelerates the threat. “With these being so easily available now, and already weaponized for easy use, for better or for worse I think that ultimately puts us in another tug-of-war match between defenders and cybercriminals,” he said.

This scenario highlights the dangers of full disclosure, where researchers release exploit code after communication breakdowns with software vendors. When such code goes public, cybercriminals and state-sponsored hackers can quickly weaponize it, forcing defenders into a reactive race.

Microsoft’s Response and the Full Disclosure Debate

Microsoft responded to inquiries with a statement from communications director Ben Hope, emphasizing the company’s support for coordinated vulnerability disclosure. “We support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure,” he said.

However, the case underscores the tension between researchers and vendors. When negotiations fail, some researchers opt for full disclosure, publishing exploit code to pressure companies into action. This approach, while controversial, can expose critical flaws faster—but also arms malicious actors.

What Should Organizations Do Now?

For IT teams, the priority is applying the BlueHammer patch immediately and monitoring for signs of exploitation. Until Microsoft releases fixes for UnDefend and RedSun, administrators should consider additional security layers, such as endpoint detection and response tools.

Building on this, organizations can also review their cybersecurity best practices to strengthen defenses against zero-day exploits. Regularly updating software and restricting admin privileges are essential steps.

The Bigger Picture: A Growing Trend

This incident is not isolated. In recent years, similar full-disclosure events have led to widespread attacks, such as the EternalBlue exploit that fueled ransomware outbreaks. As researchers and vendors clash, the cybersecurity community must find a balance between transparency and safety.

Meanwhile, Huntress continues to monitor the situation. “Scenarios like these cause us to race with our adversaries; defenders frantically try to protect against ill-intended actors who rapidly take advantage of these exploits,” Hammond added.

For now, the message is clear: unpatched Windows security flaws are a ticking time bomb, and the clock is ticking faster than ever.