Windows zero-day exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
BlueHammer, RedSun, and UnDefend are being exploited in the wild against Windows devices, creating active risk of SYSTEM or elevated administrator compromise. The activity had already started by April 10 for BlueHammer, and researchers later saw the other exploits used on a breached system. The wave shows leaked proof-of-concept code moving quickly into live abuse before all of the flaws were fully addressed.
Related Happenings
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation Wave
H score41
First: 30.06.2026 11:53
Last: 30.06.2026 11:53
Sources 1
About this happening:
CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation WaveAbout this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Microsoft releases RoguePlanet Defender security update for CVE-2026-50656
Security Patch Release
H score32
First: 17.06.2026 20:36
Last: 17.06.2026 20:36
Sources 1
About this happening:
**Microsoft** has released a **security update** for **CVE-2026-50656**, remediating **RoguePlanet** in the **Microsoft Malware Protection Engine (mpengine.dll)**. The flaw is a *...
Microsoft releases RoguePlanet Defender security update for CVE-2026-50656
Security Patch ReleaseAbout this happening: **Microsoft** has released a **security update** for **CVE-2026-50656**, remediating **RoguePlanet** in the **Microsoft Malware Protection Engine (mpengine.dll)**. The flaw is a *...
Latest development: 09.07.2026 11:48
Microsoft released security updates for CVE-2026-50656, remediating the RoguePlanet privilege-escalation flaw in Microsoft Malware Protection Engine (mpengine.dll) with version 1.1.26060.3008 and additional defense-in-depth updates. Microsoft said no customer action is required to install the update.
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
Vulnerability
H score32
First: 17.06.2026 11:32
Last: 17.06.2026 11:32
Sources 1
About this happening:
**Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
VulnerabilityAbout this happening: **Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
Vulnerability
H score39
First: 10.06.2026 02:11
Last: 10.06.2026 02:11
Sources 1
How related:
The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet.
About this happening:
Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
VulnerabilityHow related: The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet.
About this happening: Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Latest development: 10.06.2026 08:22
The anonymous security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, released a proof-of-concept (PoC) exploit for the Microsoft Defender zero-day RoguePlanet under a new GitHub account named MSNightmare. The race-condition exploit can yield a SYSTEM-level shell and arbitrary code execution when it succeeds, has been tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed, and currently does not work on Windows Server without redesign because standard users cannot mount an ISO image.
Microsoft June 2026 Patch Tuesday record security update bundle
Security Patch Release
H score36
First: 10.06.2026 01:07
Last: 10.06.2026 01:07
Sources 1
About this happening:
**Microsoft** released a **record Patch Tuesday bundle** for **June 2026** that patches **nearly 200 security holes** across **Windows operating systems and supported software**,...
Microsoft June 2026 Patch Tuesday record security update bundle
Security Patch ReleaseAbout this happening: **Microsoft** released a **record Patch Tuesday bundle** for **June 2026** that patches **nearly 200 security holes** across **Windows operating systems and supported software**,...
Timeline
-
23.04.2026 14:05 1 articles · 2mo ago
CISA adds BlueHammer to KEV and orders federal patching
Legal Policy Action UpdateCISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.
Show sources
- CISA orders feds to patch BlueHammer flaw exploited as zero-day — www.bleepingcomputer.com — 23.04.2026 14:05
-
17.04.2026 09:14 1 articles · 2mo ago
BlueHammer exploitation begins on Windows systems
Exploitation ObservedOn April 10, attackers using leaked proof-of-concept code began exploiting the BlueHammer Windows flaw against Windows systems to pursue SYSTEM or elevated administrator permissions when Microsoft Defender or Windows Defender was enabled.
Show sources
- Recently leaked Windows zero-days now exploited in attacks — www.bleepingcomputer.com — 17.04.2026 09:14
-
17.04.2026 09:14 3 articles · 2mo ago
Huntress reports BlueHammer, RedSun, and UnDefend in the wild
Initial DisclosureOn April 17, Huntress Labs reported that leaked Chaotic Eclipse/Nightmare-Eclipse proof-of-concept code was being used to exploit BlueHammer, RedSun, and UnDefend in the wild on Windows systems. The researchers said BlueHammer had been exploited since April 10, and they also observed RedSun and UnDefend on a Windows device breached through a compromised SSLVPN user with hands-on-keyboard activity.
Show sources
- Recently leaked Windows zero-days now exploited in attacks — www.bleepingcomputer.com — 17.04.2026 09:14
- Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal — thehackernews.com — 28.05.2026 16:53
- Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows — thehackernews.com — 10.06.2026 08:22