Windows zero-day exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
BlueHammer, RedSun, and UnDefend are being exploited in the wild against Windows devices, creating active risk of SYSTEM or elevated administrator compromise. The activity had already started by April 10 for BlueHammer, and researchers later saw the other exploits used on a breached system. The wave shows leaked proof-of-concept code moving quickly into live abuse before all of the flaws were fully addressed.
Related Happenings
Windows cldflt.sys MiniPlasma privilege escalation zero-day privilege-escalation flaw
Vulnerability
First: 18.05.2026 07:59
Last: 18.05.2026 07:59
Sources 1
About this happening:
**MiniPlasma** is a **Windows privilege-escalation zero-day** in **cldflt.sys** that can give attackers **SYSTEM** privileges on **fully patched Windows systems**. The flaw affect...
Windows cldflt.sys MiniPlasma privilege escalation zero-day privilege-escalation flaw
VulnerabilityAbout this happening: **MiniPlasma** is a **Windows privilege-escalation zero-day** in **cldflt.sys** that can give attackers **SYSTEM** privileges on **fully patched Windows systems**. The flaw affect...
Windows cldflt.sys privilege escalation (CVE-2020-17103)
Vulnerability
First: 18.05.2026 01:30
Last: 18.05.2026 01:30
Sources 1
About this happening:
A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...
Windows cldflt.sys privilege escalation (CVE-2020-17103)
VulnerabilityAbout this happening: A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...
Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw
Vulnerability
First: 14.05.2026 21:53
Last: 14.05.2026 21:53
Sources 1
About this happening:
**Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...
Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw
VulnerabilityAbout this happening: **Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...
Windows 11 BitLocker bypass YellowKey security flaw
Vulnerability
First: 14.05.2026 10:27
Last: 14.05.2026 10:27
Sources 1
About this happening:
**YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...
Windows 11 BitLocker bypass YellowKey security flaw
VulnerabilityAbout this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...
Latest development: 20.05.2026 10:31
Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
Campaign
First: 13.05.2026 16:00
Last: 13.05.2026 16:00
Sources 1
About this happening:
The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
FamousSparrow Azerbaijanian oil-and-gas targeting campaign
CampaignAbout this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...
Timeline
-
23.04.2026 14:05 1 articles · 1mo ago
CISA adds BlueHammer to KEV and orders federal patching
Legal Policy Action UpdateCISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.
Show sources
- CISA orders feds to patch BlueHammer flaw exploited as zero-day — www.bleepingcomputer.com — 23.04.2026 14:05
-
17.04.2026 09:14 1 articles · 1mo ago
BlueHammer exploitation begins on Windows systems
Exploitation ObservedOn April 10, attackers using leaked proof-of-concept code began exploiting the BlueHammer Windows flaw against Windows systems to pursue SYSTEM or elevated administrator permissions when Microsoft Defender or Windows Defender was enabled.
Show sources
- Recently leaked Windows zero-days now exploited in attacks — www.bleepingcomputer.com — 17.04.2026 09:14
-
17.04.2026 09:14 1 articles · 1mo ago
Huntress reports BlueHammer, RedSun, and UnDefend in the wild
Initial DisclosureOn April 17, Huntress Labs reported that leaked Chaotic Eclipse/Nightmare-Eclipse proof-of-concept code was being used to exploit BlueHammer, RedSun, and UnDefend in the wild on Windows systems. The researchers said BlueHammer had been exploited since April 10, and they also observed RedSun and UnDefend on a Windows device breached through a compromised SSLVPN user with hands-on-keyboard activity.
Show sources
- Recently leaked Windows zero-days now exploited in attacks — www.bleepingcomputer.com — 17.04.2026 09:14