Three working Windows exploits were published in protest on May 13. All three are now confirmed in active attacks. Here's what happened and what you need to do.
On May 13, a security researcher going by the alias "Chaotic Eclipse" did something unusual: they published three working Windows exploits not because they were trying to help defenders, but because they were fed up with being ignored. In a short post, the researcher wrote "I was not bluffing Microsoft, and I'm doing it again" — then dropped proof-of-concept code for three separate vulnerabilities. No advance warning. No coordinated disclosure. Just functional exploit code, available to anyone who wanted it.
Within days, Huntress Labs confirmed all three techniques being used in active attacks against real organizations. The window between "exploit code published" and "exploit code weaponized" has gotten very short. For unmanaged Windows machines — exactly the kind that populate small businesses and churches — that window matters.
Understanding what these exploits do helps clarify the actual risk. They're not all the same kind of problem, and they don't all have patches yet.
| Name | CVE | What It Does | Status |
|---|---|---|---|
| BlueHammer | CVE-2026-33825 | Local privilege escalation — a standard user can gain full SYSTEM access by exploiting a time-of-check/time-of-use race condition in Windows' access to the Security Account Manager (SAM) database, which stores local account password hashes. | Patched April 14 |
| RedSun | Unassigned | Microsoft Defender privilege escalation — even after applying April patches, an attacker can exploit a Defender-specific flaw to gain SYSTEM privileges on Windows 10, 11, and Server 2019+. | No patch yet |
| UnDefend | Unassigned | A standard user account (no admin rights needed) can block Windows Defender from receiving definition updates — effectively disabling real-time threat detection without triggering an alert. | No patch yet |
The combination is the problem. An attacker who has any foothold on a Windows machine — even a standard user account — can chain these together: use BlueHammer (or RedSun) to escalate to SYSTEM, then use UnDefend to block Defender updates and silence the primary detection layer. From there, the machine is effectively owned.
When a vulnerability gets officially disclosed, there's a standard timeline: researchers notify the vendor, the vendor patches, then the details come out. That gap — sometimes weeks, sometimes months — gives organizations time to patch before attackers have working code to use.
When working exploit code leaks publicly before or alongside a patch, that timeline collapses. Instead of weeks, defenders get hours — if that. Attackers who monitor security forums and GitHub can have automated scanners testing for vulnerable machines within a day of a public release.
"The gap between 'exploit code published' and 'exploit code in active use' is now measured in hours, not weeks. Unmanaged machines are the first to be scanned."
Organizations with managed IT — where someone is monitoring patch status and pushing updates — are in a much better position here. They may not be immune, but they're not the easy targets. The easy targets are the machines running Windows on a guest network somewhere, the office PC that hasn't rebooted in three months, the point-of-sale system that nobody thinks about until it stops working.
Small businesses and churches tend to have exactly those machines. Budget constraints mean fewer managed devices. Staff turnover means fewer people who know what's running where. And "if it ain't broke" thinking means patches often wait.
It's worth understanding what Chaotic Eclipse was protesting, because the pattern matters beyond this specific incident.
BlueHammer (CVE-2026-33825) was actually disclosed to Microsoft months before the May leak. Microsoft eventually patched it on April 14 as part of that month's Patch Tuesday — but by April 10, the vulnerability was already being exploited in the wild, meaning attackers had independently discovered or obtained it before Microsoft's patch shipped. CISA added BlueHammer to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by May 7.
That sequence — researcher finds bug, Microsoft takes months to patch, bug gets exploited before the patch, researcher loses patience — is what produced the May 13 leak of RedSun and UnDefend. Whatever you think of the researcher's approach, the practical result is two more unpatched Windows vulnerabilities now being used in active attacks, with no official fix available.
There's no single action that neutralizes all three of these. That's the uncomfortable reality when two of the three have no patch. But there are specific steps that reduce your exposure significantly.
For RedSun and UnDefend specifically: there's no patch, so the mitigations above — standard user accounts, endpoint monitoring, keeping everything else current — are what you have. Microsoft is aware and presumably working on fixes. When those patches arrive, treat them as critical and apply immediately.
The broader lesson from this incident is one we've covered in different forms before. Whether it's attackers impersonating your IT provider or researchers leaking exploits in frustration, the attack surface for organizations without proactive IT management keeps expanding. Managed patching isn't about any single vulnerability — it's about ensuring that when working exploit code appears on a Tuesday morning, your machines aren't still exposed by Friday.
If you're not sure where your Windows systems stand on April and May patches, that's a conversation worth having this week — not next month.
WCW handles patch management, endpoint monitoring, and vulnerability response for small businesses and churches across Southwest Ohio — so your machines are covered before the next Chaotic Eclipse shows up.
📅 Book a Free Consultation Get in Touch