InfoSecBulletin Cybersecurity for mankind
Threat actors are exploiting 3 new Windows security flaws in their attacks to get SYSTEM or higher administrator access. Since the beginning of the month, a security expert called “Chaotic Eclipse” or “Nightmare-Eclipse” has shared proof-of-concept exploit code for all three security problems.
Two of the flaws, called BlueHammer and RedSun, are in Microsoft Defender that let a user gain more privileges. The third one, named UnDefend, lets a regular user stop updates for Microsoft Defender.
CVE-2026-20230
Cisco Patches in Unified CM as Exploit Code Goes Public
1-Click GitHub Token Flaw Allows Attackers Steal Users’ OAuth Tokens
TP-Link Router Flaw Enables Remote Command Execution Attacks
ALERT
Google patches one exploited Android zero-day and 124 issues
CISA warns two-year-old Oracle Vuln as actively exploited in attacks
Hackers Use Meta’s AI Bot to Take Over Instagram Accounts
Anthropic confirms Claude Mythos-class models will be public
Threat Actors Fake FIFA Sites to Steal Personal Info
CISA gives feds 4 days to fix cPanel plugin vulnerability
ALERT
FortiClient EMS Code Execution Flaw Exploited to Deploy Malware
At the time of the leak, the security flaws these exploits targeted were considered zero-days by Microsoft’s definition, since they had no official patches or updates to address them.
Huntress Labs security researchers saw all three zero-day exploits being used in real life on Thursday. The BlueHammer flaw has been used since April 10.
They also spotted UnDefend and RedSun exploits on a Windows device that was breached using a compromised SSLVPN user, in attacks showing evidence of “hands-on-keyboard threat actor activity.”
“The Huntress SOC is observing the use of Nightmare-Eclipse’s BlueHammer, RedSun, and UnDefend exploitation techniques,” the researchers said.
Patch Status and Mitigations:
Attackers can use the RedSun exploit to get SYSTEM privileges on Windows 10, Windows 11, and Windows Server 2019 and newer. This can happen when Windows Defender is on, even after the April Patch Tuesday updates.
“When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that’s supposed to protect decides that it is a good idea to just rewrite the file it found again to it’s original location,” the researcher explained. “The PoC abuses this behaviour to overwrite system files and gain administrative privileges.”
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible,” a Microsoft spokesperson told Bleeping Computer earlier this week when contacted for more information on the disclosure issues reported by the anonymous researcher.
“We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community.”
