Public exploit code from groups like Chaotic Eclipse is aiding threat actors in weaponizing the flaws for in-the-wild attacks, raising urgency.

Three recently disclosed zero-day flaws in Microsoft Defender—BlueHammer, RedSun, and UnDefend—are being exploited to gain elevated access on compromised Windows systems, enabling attackers to achieve administrator privileges.

The vulnerabilities affect Microsoft Defender on Windows, allowing attackers to elevate privileges on affected machines.

Hackers have publicly disclosed these flaws over the past two weeks, and at least one organization has already been compromised as exploitation has begun.

There is uncertainty about targets and attackers, with TechCrunch reporting and Microsoft spokespersons commenting on the disclosure process.

Huntress reports isolating affected organizations to prevent further post-exploitation, and The Hacker News has sought comment from Microsoft.

The disclosures reflect a broader full-disclosure practice in cybersecurity, where researchers publish details and PoC code to pressure patches, while also risking weaponization by criminals.

Proof-of-concept details include a Defender EICAR file alert triggered by RedSun.exe, illustrating the attack technique.

Microsoft emphasizes coordinated vulnerability disclosure, stressing careful investigation and timely patching to protect customers.

Context includes attribution from SecurityAffairs and Pierluigi Paganini, with ongoing coverage of Microsoft Defender vulnerabilities.

Experts note the risk of rapid weaponization once exploit code becomes public, with researchers observing active exploitation.

Huntress researchers warn that readily available exploit tooling can accelerate attacks, creating a challenging defender-criminals tug-of-war.