Three Windows security vulnerabilities that entered public circulation through a researcher-published exploit leak are now being actively exploited in the wild, with threat actors leveraging them to gain SYSTEM-level or elevated administrator privileges on compromised Windows machines.
The flaws represent a troubling pattern: vulnerabilities that originated from a disgruntled security researcher's unauthorized public disclosure are being rapidly weaponized before all mitigations are fully deployed across affected enterprise environments.
What Was Leaked
The vulnerabilities trace back to the BlueHammer disclosure incident in early April 2026, in which a security researcher — reportedly frustrated with Microsoft's vulnerability handling — published working exploit code for a Windows privilege escalation flaw before Microsoft had issued a patch.
The BlueHammer leak (CVE-2026-33825) was subsequently followed by disclosure of two additional related flaws. Together, the three vulnerabilities allow local attackers — or malware already running on a system with standard user privileges — to escalate to SYSTEM, the highest privilege level in Windows, granting full control of the operating system.
Active Exploitation Confirmed
BleepingComputer reports that threat actors have incorporated at least one of the leaked exploits into active attack campaigns. The exploitation has been observed in post-initial-access scenarios: attackers who have already gained a foothold via phishing, supply chain compromise, or credential theft are now using the leaked privilege escalation exploits to elevate privileges and achieve full system control.
Key details confirmed:
- Affected platforms: Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022
- Prerequisite: Some degree of local access (standard user account or limited malware execution)
- Goal: SYSTEM-level privilege escalation enabling full OS control, credential dumping, and lateral movement
- Patch status: April 2026 Patch Tuesday addressed some — but not all — of the disclosed variants
The RedSun Complication
A separate but related flaw, dubbed RedSun, affects systems where Windows Defender is active. Unlike the BlueHammer variants patched in April's Patch Tuesday, the RedSun privilege escalation flaw requires a separate Antimalware Platform update (version 4.18.26050.3011 or later) rather than the standard Windows security update.
Organizations that applied April Patch Tuesday updates but have not confirmed their Defender platform version remains vulnerable to RedSun exploitation. Microsoft has pushed this update through Windows Update and WSUS, but environments with delayed Defender definition updates or air-gapped systems may not have received it.
Why Researcher-Leaked Exploits Are Especially Dangerous
When vulnerabilities are disclosed through coordinated processes (CVE assignment, vendor notification, embargo period, patch release), defenders have a window to deploy patches before exploitation begins. Researcher leaks collapse that window entirely.
In this case, the exploit code was published publicly, meaning:
- No patch existed when exploitation began for the leaked variants
- Proof-of-concept code reduced the skill barrier to near zero — any attacker with the ability to download and run code can exploit it
- Detection signatures lagged behind exploitation because defenders had no pre-patch warning window to prepare
- Enterprise patch cycles (weekly, bi-weekly, or monthly) mean a significant portion of the Windows install base remains vulnerable weeks after patches are released
Security researchers and vendors widely criticize unauthorized exploit disclosure for precisely this reason — it benefits attackers disproportionately over defenders.
Patching Guidance
April Patch Tuesday Updates
Microsoft addressed the BlueHammer variants in the April 2026 Patch Tuesday release. Organizations should prioritize:
Windows 10 (all supported versions): KB5058379 or later
Windows 11 24H2: KB5058411 or later
Windows Server 2022: KB5058385 or later
Windows Server 2019: KB5058392 or later
Verify applied updates via:
# Check installed security updates
Get-HotFix | Where-Object { $_.InstalledOn -gt (Get-Date).AddDays(-30) } | Sort-Object InstalledOn -Descending
# Verify specific KB
Get-HotFix -Id KB5058379Windows Defender Platform Update (RedSun)
# Check current Defender platform version
(Get-MpComputerStatus).AMProductVersion
# Force Defender signature and platform update
Update-MpSignature
Start-MpScan -ScanType QuickScanThe required Defender platform version is 4.18.26050.3011 or later.
Interim Mitigations
For systems that cannot be patched immediately:
- Limit local user privileges: Enforce least-privilege principles — standard user accounts should not have local administrator rights
- Deploy Credential Guard: Reduces the impact of SYSTEM-level compromise by protecting credential stores
- Enable Windows Defender Attack Surface Reduction rules: Specific ASR rules can block common privilege escalation techniques
- Monitor for unusual token manipulation: Detect calls to
NtAdjustPrivilegesToken,SeDebugPrivilegeabuse, and unexpected SYSTEM process spawning - Prioritize endpoint detection: Signature updates for the leaked exploits are now available from all major EDR vendors
Detection and Hunting
Security teams should hunt for indicators of exploitation:
# Look for processes spawning with SYSTEM privileges from user-level parents
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4688]]" |
Where-Object { $_.Message -match "S-1-5-18" -and $_.Message -notmatch "SYSTEM" }
# Check for token impersonation events
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4672]]" |
Select-Object -First 50 | Format-List TimeCreated, MessageEDR solutions with behavioral detection (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) should have signatures covering the leaked exploit patterns. Confirm rule sets are current before relying solely on behavioral detection.
Sources: BleepingComputer, Microsoft Security Response Center