Hackers exploit unpatched Windows vulnerabilities to breach organisations

Hackers have successfully breached at least one organization by exploiting recently disclosed Windows vulnerabilities made public by a frustrated security researcher, according to findings shared by Huntress.

In a series of updates posted on X on Friday, Huntress researchers said attackers are actively exploiting three separate Windows security flaws — BlueHammer, UnDefend, and RedSun — to gain unauthorized access to systems. The identity of the targeted organization remains unknown, and the individuals or groups behind the attacks have not yet been identified.

Among the three vulnerabilities, only BlueHammer has been addressed so far. Microsoft released a patch for that specific flaw earlier this week, while the other two vulnerabilities remain unpatched as of this reporting.

The attacks appear to rely on exploit code that was publicly shared online. Earlier this month, a security researcher operating under the name Chaotic Eclipse published what they described as working exploit code targeting an unpatched Windows vulnerability. The researcher indicated that the release was linked to a dispute with Microsoft.

“I was not bluffing Microsoft, and I’m doing it again,” the researcher wrote in a blog post, adding sarcastic thanks to Microsoft’s Security Response Centre leadership for the situation. In the days that followed, the same researcher released additional exploit code for two more vulnerabilities, UnDefend and RedSun, making all three available through a public GitHub repository.

Each of these vulnerabilities affects Windows Defender, Microsoft’s built-in antivirus system, and can allow attackers to gain elevated or administrator-level privileges on compromised machines. This level of access can enable hackers to control systems, access sensitive data, and deploy further malicious activity.

Responding to questions about the situation, Microsoft communications director Ben emphasized the company’s support for coordinated vulnerability disclosure. This industry-standard process encourages researchers to report security flaws privately so that companies can investigate and fix issues before they are publicly revealed, helping protect users and maintain system security.

The current situation reflects what is known in cybersecurity as “full disclosure.” Typically, researchers notify software vendors of vulnerabilities and agree on a timeline for public disclosure after fixes are prepared. However, when communication breaks down, some researchers choose to release details — and sometimes functional exploit code — directly to the public.

When proof-of-concept code is shared openly, it can quickly be adopted by malicious actors, including cybercriminals and state-sponsored hackers. This often forces security teams to respond urgently, as the availability of ready-made exploit tools lowers the barrier for launching attacks.

John Hammond of Huntress, who has been closely monitoring the situation, noted that the widespread availability of these exploits has intensified the ongoing struggle between attackers and defenders.

“With these being so easily available now, and already weaponized for easy use, for better or for worse I think that ultimately puts us in another tug-of-war match between defenders and cybercriminals,” Hammond said.

He added that situations like this create a race against time, where defenders must act quickly to secure systems while attackers move just as rapidly to exploit vulnerabilities. The existence of ready-to-use exploit tools, he explained, significantly accelerates the pace at which such attacks can be carried out.