Recently Leaked Windows Zero-Days Now Exploited in Active

Overview

Three recently disclosed Windows security vulnerabilities are now being actively exploited in attacks, according to security researchers. The flaws — which were publicly leaked before Microsoft had the opportunity to issue coordinated patches — allow threat actors to escalate privileges to SYSTEM or elevated administrator level on compromised Windows systems.

The active exploitation of these zero-days represents an accelerated weaponization timeline, with attackers leveraging the leaked technical details to build functional exploits within days of public disclosure.

The Three Vulnerabilities

All three vulnerabilities target the Windows privilege escalation attack surface and allow a local attacker with standard user permissions to gain SYSTEM-level control. This type of escalation is particularly valuable in post-exploitation scenarios, where attackers use it to:

Disable security tools and endpoint detection
Establish persistent SYSTEM-level backdoors
Pivot laterally within enterprise networks using elevated credentials
Bypass User Account Control (UAC) and other Windows security boundaries

The vulnerabilities were leaked publicly — rather than being discovered through standard bug bounty or responsible disclosure channels — meaning Microsoft had little advance warning before active exploitation began.

Active Exploitation Context

Security researchers at BleepingComputer confirmed that threat actors are chaining these Windows zero-days as post-exploitation escalation tools following initial compromise through phishing campaigns or other entry vectors.

The attack chain typically follows this pattern:

1. Initial access via phishing email or vulnerability exploitation
2. Establish foothold with standard user privileges
3. Deploy Windows privilege escalation exploit (one or more of the three flaws)
4. Gain SYSTEM or administrator access
5. Disable EDR tools, establish persistence, move laterally
6. Deploy final-stage payload (ransomware, data theft, espionage tool)

This pattern has been observed targeting enterprise environments in North America and Europe.

Microsoft Response

Microsoft has been notified of the vulnerabilities and is working to develop patches. As of April 17, 2026, at least one patch has been issued, while others remain in development. The company has not provided a firm timeline for the remaining fixes.

Organizations are advised not to wait for patches before implementing interim mitigations — the active exploitation window is open now.

Recommendations

Given that not all patches are available, organizations should implement the following mitigations immediately:

Apply all available Windows updates — Install pending Windows security updates via Windows Update or Windows Server Update Services (WSUS) to ensure any available patches are deployed.

Enable attack surface reduction (ASR) rules — Configure Microsoft Defender's ASR rules to limit post-exploitation options:

# Enable all ASR rules in Audit mode first to check for impact
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule-id> -AttackSurfaceReductionRules_Actions Enabled

Restrict local administrator access — Apply least-privilege principles and remove unnecessary local admin rights from standard user accounts.
Monitor for privilege escalation indicators — Review SIEM/EDR alerts for:
- Unexpected SYSTEM-level process creation from user sessions
- Token manipulation events
- UAC bypass attempts
- Unexpected use of cmd.exe or powershell.exe by non-admin users
Harden Windows endpoints — Enable Credential Guard, Windows Defender Application Control (WDAC), and virtualization-based security (VBS) where supported.
Deploy supplementary EDR — In environments where Microsoft Defender is the sole protection layer, consider additional endpoint detection solutions for enhanced coverage during the unpatched window.
Isolate critical systems — For high-value targets (domain controllers, privileged access workstations), apply network segmentation to limit lateral movement opportunities.

Background: Leaked Zero-Day Risk

The exploitation of leaked zero-days presents a compounded risk compared to standard vulnerability disclosure:

No coordinated patch timeline: Microsoft cannot pre-stage fixes before disclosure
Immediate weaponization: Public exploit code dramatically shortens attacker dwell time
Broader threat actor access: Commodity attackers — not just sophisticated APTs — can leverage leaked exploits
Patch pressure: Microsoft faces pressure to emergency-patch rather than following standard Patch Tuesday cycles

This pattern of disgruntled researchers or insiders leaking Windows exploits has resulted in several high-profile zero-day exploitation waves in recent years.

References

Overview

The Three Vulnerabilities

Disable security tools and endpoint detection
Establish persistent SYSTEM-level backdoors
Pivot laterally within enterprise networks using elevated credentials
Bypass User Account Control (UAC) and other Windows security boundaries

Active Exploitation Context

The attack chain typically follows this pattern:

1. Initial access via phishing email or vulnerability exploitation
2. Establish foothold with standard user privileges
3. Deploy Windows privilege escalation exploit (one or more of the three flaws)
4. Gain SYSTEM or administrator access
5. Disable EDR tools, establish persistence, move laterally
6. Deploy final-stage payload (ransomware, data theft, espionage tool)

This pattern has been observed targeting enterprise environments in North America and Europe.

Microsoft Response

Organizations are advised not to wait for patches before implementing interim mitigations — the active exploitation window is open now.

Recommendations

Given that not all patches are available, organizations should implement the following mitigations immediately:

Apply all available Windows updates — Install pending Windows security updates via Windows Update or Windows Server Update Services (WSUS) to ensure any available patches are deployed.

Enable attack surface reduction (ASR) rules — Configure Microsoft Defender's ASR rules to limit post-exploitation options:

# Enable all ASR rules in Audit mode first to check for impact
Set-MpPreference -AttackSurfaceReductionRules_Ids <rule-id> -AttackSurfaceReductionRules_Actions Enabled

Restrict local administrator access — Apply least-privilege principles and remove unnecessary local admin rights from standard user accounts.
Monitor for privilege escalation indicators — Review SIEM/EDR alerts for:
- Unexpected SYSTEM-level process creation from user sessions
- Token manipulation events
- UAC bypass attempts
- Unexpected use of cmd.exe or powershell.exe by non-admin users
Harden Windows endpoints — Enable Credential Guard, Windows Defender Application Control (WDAC), and virtualization-based security (VBS) where supported.
Deploy supplementary EDR — In environments where Microsoft Defender is the sole protection layer, consider additional endpoint detection solutions for enhanced coverage during the unpatched window.
Isolate critical systems — For high-value targets (domain controllers, privileged access workstations), apply network segmentation to limit lateral movement opportunities.

Background: Leaked Zero-Day Risk

The exploitation of leaked zero-days presents a compounded risk compared to standard vulnerability disclosure:

No coordinated patch timeline: Microsoft cannot pre-stage fixes before disclosure
Immediate weaponization: Public exploit code dramatically shortens attacker dwell time
Broader threat actor access: Commodity attackers — not just sophisticated APTs — can leverage leaked exploits
Patch pressure: Microsoft faces pressure to emergency-patch rather than following standard Patch Tuesday cycles

This pattern of disgruntled researchers or insiders leaking Windows exploits has resulted in several high-profile zero-day exploitation waves in recent years.

Recently Leaked Windows Zero-Days Now Exploited in Active

Overview

The Three Vulnerabilities

Active Exploitation Context

Microsoft Response

Recommendations

Background: Leaked Zero-Day Risk

References

Disgruntled Researcher Leaks BlueHammer Windows Zero-Day

MiniPlasma Windows 0-Day Enables SYSTEM Privilege

New Windows ''MiniPlasma'' Zero-Day Exploit Gives SYSTEM

Recently Leaked Windows Zero-Days Now Exploited in Active

Overview

The Three Vulnerabilities

Active Exploitation Context

Microsoft Response

Recommendations

Background: Leaked Zero-Day Risk

References

Disgruntled Researcher Leaks BlueHammer Windows Zero-Day

MiniPlasma Windows 0-Day Enables SYSTEM Privilege

New Windows ''MiniPlasma'' Zero-Day Exploit Gives SYSTEM