Over roughly six weeks this spring, a researcher operating as Chaotic Eclipse published working exploit code for six Windows and Defender zero-day vulnerabilities, none of them shared with Microsoft first.
Several remain unpatched, and security firm Huntress confirmed at least three were exploited in real-world attacks within days of release.
The cluster, named BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma, ranged from privilege-escalation flaws that hand an attacker SYSTEM-level control to a BitLocker bypass and a tool that quietly degrades Defender.
Microsoft has patched three of the six so far, with RedSun and UnDefend fixed in an out-of-band update on May 21 after weeks of active exploitation. The other three remain without a fix, and MiniPlasma reportedly grants SYSTEM access even on fully updated Windows 11.
That is the core problem with uncoordinated disclosure. When proof-of-concept (PoC) code goes public before a fix exists, the gap between a disclosure and its exploitation can be measured in days. Huntress observed attackers adopting the RedSun and UnDefend code within about a week of release.
Microsoft responded by urging researchers to follow coordinated disclosure practices, calling it “a shared responsibility.”
Why This Could Get Much Worse
For context, Coordinated Vulnerability Disclosure (CVD), the norm that asks researchers to give vendors time to patch before going public, depends on serious flaws being hard enough to find that few people do. That assumption is weakening.
Vulnerability discovery is getting faster and cheaper, due to the use of AI-based tools. Google Threat Intelligence Group recently documented the first zero-day it believes was built using AI, and Microsoft’s own MDASH research showed an AI system surfacing 16 new Windows flaws.
The capability that helps defenders find bugs at scale drops the barrier for everyone else. Chaotic Eclipse is one motivated individual, the structural worry is what happens when that capability is widely available.
What Defenders Should Do Now
The first job is patching what can be patched. RedSun and UnDefend (CVE-2026-41091 and CVE-2026-45498) were added to CISA’s Known Exploited Vulnerabilities catalog on May 20, with a June 3 federal deadline. Both, along with BlueHammer, are resolved by current updates and should be applied across all Windows endpoints.
The Microsoft Security Response Center advisory channel is the place to watch for fixes to the three flaws that remain open.
For those, compensating controls matter more than usual. Because these tools turn a low-level foothold into full SYSTEM access, treat any initial compromise as a possible route to complete takeover, and apply Microsoft’s published mitigations where no patch yet exists.
Monitoring for the behaviors they produce is more reliable than waiting on signatures.
