Cybercriminals have successfully breached at least one organisation by exploiting unpatched Windows security flaws, according to cybersecurity firm Huntress. The vulnerabilities, made public online by a disgruntled researcher, affect Microsoft's Windows Defender antivirus software.

The attacks leverage exploit code for three specific vulnerabilities—BlueHammer, UnDefend, and RedSun—published by a researcher known as Chaotic Eclipse. Huntress researchers confirmed the active exploitation in a series of social media posts on Friday.

Researcher Publishes Exploit Code

The chain of events began earlier this month when Chaotic Eclipse published code to exploit an unpatched Windows flaw on their blog. The researcher cited a conflict with Microsoft as their motivation, writing, "I was not bluffing Microsoft and I’m doing it again."

Subsequent posts detailed two further vulnerabilities, UnDefend and RedSun, with proof-of-concept exploit code made available on the researcher's GitHub page. All three flaws enable an attacker to gain administrator-level access to a compromised Windows computer by targeting the Windows Defender service.

Microsoft's Response and Industry Fallout

Microsoft has so far issued a patch only for the BlueHammer vulnerability, which was released earlier this week. In a statement to TechCrunch, Microsoft communications director Ben Hope reiterated the company's support for "coordinated vulnerability disclosure," a practice where researchers privately report flaws to vendors before public release.

This incident represents a case of "full disclosure," where the breakdown of communication between researcher and vendor leads to public release of technical details. The publication of weaponised code creates a race between defenders and attackers, as noted by Huntress researcher John Hammond.

"With these being so easily available now, and already weaponised for easy use... defenders frantically try to protect against ill-intended actors who rapidly take advantage of these exploits," Hammond told TechCrunch.

Ongoing Security Implications

The public availability of this exploit code significantly lowers the barrier for other malicious actors, including cybercriminals and state-sponsored hackers, to launch their own attacks. Security teams worldwide are now scrambling to implement protections and apply available patches.

The identity of the initial hacking group and their specific target remain unknown. TechCrunch's attempts to reach the researcher Chaotic Eclipse for comment were unsuccessful.