5 Threats Defenders Can't Ignore This Week: Two Unpatched Windows LPEs Already Being Exploited

On April 3, a researcher operating under the aliases 'Nightmare-Eclipse' and 'Chaotic Eclipse' publicly leaked BlueHammer — a Windows local privilege escalation exploit — in protest against Microsoft's MSRC vulnerability disclosure handling. On April 16, the same researcher released RedSun, a second LPE targeting Windows Defender internals. Within 24 hours of RedSun's release, BleepingComputer confirmed threat actors are actively weaponizing both exploits in the wild.

BlueHammer exploits a TOCTOU (time-of-check to time-of-use) race condition combined with a path confusion vulnerability to achieve SYSTEM-level privilege on Windows. Once elevated, attackers gain read access to the SAM (Security Account Manager) database, enabling extraction of local password hashes and facilitating lateral movement without additional tooling. No CVE has been assigned to BlueHammer as of April 17, 2026.

RedSun is the more technically sophisticated of the two. It abuses a subtle behaviour in Windows Defender's cloud-tagging file rewrite mechanism. The attack chain exploits the Cloud Files API to set up a volume shadow copy race via an oplock, then uses a directory junction and reparse point manipulation to redirect Defender's own file rewrites to system-critical executables. The result is arbitrary code execution as SYSTEM — confirmed working on fully-patched Windows 10, 11, and Server 2019+ by independent researcher Will Dormann.

No Microsoft patches exist for either vulnerability. Recommended compensating controls: restrict physical and RDP access to Windows endpoints, deploy detections for anomalous VSS operations combined with junction creation, alert on unexpected SYSTEM-level process spawning from non-standard parents, and monitor for SAM database access outside the LSASS process.

Between April 13 and April 16, CISA added six vulnerabilities to its Known Exploited Vulnerabilities catalog, with the majority carrying an April 27 federal remediation deadline. The entries span Fortinet, Adobe, Windows, and Microsoft Exchange — and include one of the oldest vulnerabilities ever confirmed exploited in the KEV's current era.

CVE-2012-1854 — a Microsoft VBA insecure library loading flaw first disclosed in 2012 — is now confirmed to be actively exploited 14 years after its original patch was released. Organisations running unpatched legacy Office configurations or terminal server environments with older VBA-enabled documents remain exposed.

The most operationally critical entry is CVE-2023-21529 (CVSS 8.8): a deserialization RCE in Microsoft Exchange Server patched in February 2023 that is now being actively leveraged by the financially motivated threat actor Storm-1175 to deploy Medusa ransomware against enterprise environments. Organisations that have not applied the February 2023 Exchange cumulative updates face active ransomware exposure today.

Also added: CVE-2026-34621 (Adobe Acrobat Reader prototype pollution leading to RCE, CVSS 8.6, exploited since at least December 2025 per researcher Haifei Li), CVE-2025-60710 (Windows Task Host LPE via improper link resolution, CVSS 7.8), and CVE-2023-36424 (Windows CLFS Driver out-of-bounds read leading to LPE, CVSS 7.8). Cross-reference these against your [April Patch Tuesday 2026](/blog/patch-tuesday-april-2026) deployment records to confirm none have been missed before the April 27 federal deadline.

Payouts King — tracked as STAC4713 by Zscaler ThreatLabz and attributed with high confidence to former BlackBasta affiliates — is the most technically innovative new ransomware group documented in April 2026. Its core evasion technique operates at the hypervisor layer, bypassing host-based endpoint security entirely.

After gaining initial access, Payouts King deploys QEMU, the open-source virtualiser, to spin up a hidden Alpine Linux 3.22.0 VM on compromised Windows hosts. All C2 communication, lateral movement staging, and credential harvesting runs inside the guest VM. Because Windows Defender and most endpoint security tools cannot inspect guest VM memory or network traffic at the hypervisor level, all malicious activity is invisible to host-based security telemetry.

QEMU disk images are disguised as legitimate files: `vault.db` (mimicking a database file) or `birsv.dll` (mimicking a system DLL). Persistence is achieved via a scheduled task named `TPMProfiler` — deliberately designed to blend with legitimate Trusted Platform Module management tasks — launched as SYSTEM on startup.

Initial access exploits CVE-2025-26399 (SolarWinds Web Help Desk) and CVE-2025-5777 (CitrixBleed 2, affecting Citrix NetScaler ADC/Gateway). Additional vectors include phishing via Microsoft Teams and abuse of Windows QuickAssist. Encryption uses AES-256 in CTR mode with RSA-4096 key exchange; large files receive intermittent encryption for speed. Data exfiltration is performed via Rclone to attacker-controlled SFTP infrastructure.

This technique is distinct from BYOVD (Bring Your Own Vulnerable Driver) approaches used by groups like [Qilin to silence EDR tools](/blog/qilin-byovd-edr-silencing) — instead operating at the hypervisor layer, making it significantly harder to detect with host-based telemetry alone.

On April 15–16, 2026, Cisco published critical patches for four vulnerabilities across two of its most widely deployed enterprise platforms. Both require manual administrator action — neither product auto-remediates.

CVE-2026-20184 (CVSS 9.8) in Cisco Webex Services involves improper certificate validation in the SSO/Control Hub SAML integration. An unauthenticated attacker who can intercept or manipulate SAML assertions can impersonate any Webex user, gaining full access to meetings, recorded content, shared files, and private channels. With 400 million+ registered Webex users, the potential exposure is significant. Cisco provides no automated patch — administrators must manually upload a new SAML certificate for their identity provider to Webex Control Hub. No workaround is available.

The three Cisco Identity Services Engine flaws — CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186, all carrying CVSS 9.9 — exploit insufficient input validation to enable OS command execution and root privilege escalation. ISE is the network access control (NAC) backbone for enterprise environments, controlling which devices and users access the corporate network. A compromised ISE instance gives attackers the ability to authorise rogue endpoints, revoke legitimate access, and pivot undetected through network segments that would otherwise be isolated.

None of these vulnerabilities are currently reported as exploited in the wild, but given their CVSS scores and the critical operational role of both products, security teams should treat these as emergency change-window items.

On April 16, Darktrace published detailed analysis of ZionSiphon, a novel OT malware sample targeting Israeli water and desalination infrastructure. Among publicly disclosed ICS/OT threats in 2026, it is among the most specifically targeted samples analysed.

ZionSiphon contains hardcoded names of six Israeli water infrastructure organisations: Mekorot (Israel's national water company), desalination facilities at Sorek, Hadera, Ashdod, and Palmachim, and the Shafdan wastewater treatment plant. It scans for OT process names — `DesalPLC`, `ROController`, `ChlorineCtrl` — and probes three OT communication protocols: Modbus on port 502, DNP3 on port 20000, and S7comm on port 102.

The malware contains a function named `IncreaseChlorineLevel()` that appends sabotage parameters directly to OT configuration files: `Chlorine_Dose=10`, `Chlorine_Pump=ON`, `Chlorine_Flow=MAX`, `RO_Pressure=80`. If executed on a live treatment plant, these values exceed safe operational thresholds and could produce hazardous chlorine concentrations in treated water.

The infection chain uses PowerShell-based privilege escalation (MITRE T1547.001), registry persistence under `HKCU\...\Run` as 'SystemHealthCheck', and USB propagation (MITRE T1091) for potential air-gapped network crossing. Attribution is assessed as Iranian-aligned based on Base64-encoded political messaging embedded in the binary.

Darktrace identified an XOR bug in the country validation routine — suggesting this may be a development build not yet fully operational. The disclosed capabilities nonetheless represent documented intent to sabotage civilian water infrastructure.

This week requires concurrent action across three categories: compensating controls for unpatched zero-days, emergency vendor patch deployment, and detection engineering for novel evasion techniques.

For BlueHammer and RedSun, no patches exist — the priority is access restriction and detection logic. Both exploits require a local foothold on a Windows system. Enforce least-privilege policies, restrict who can obtain local or RDP sessions, and deploy monitoring for anomalous VSS operations, directory junction creation, and SAM database access outside LSASS.

For Exchange Server CVE-2023-21529 (Storm-1175/Medusa ransomware): if February 2023 Exchange cumulative updates have not been verified, treat this as an emergency patch item. Confirm patch status and sweep Exchange event logs for indicators of exploitation.

For Cisco Webex and ISE: both require manual intervention in change windows. Schedule SAML certificate rotation for Webex and patch-plus-cert-regeneration for ISE. Post-remediation, audit ISE authorisation logs for anomalous device grants made during the exposure window.

For the April 27 CISA KEV deadlines: validate Adobe Acrobat/Reader is updated to v26.001.21411 or later, confirm Microsoft VBA CVE-2012-1854 is patched across all Office installations, and verify CLFS driver and Windows Task Host patches from recent Patch Tuesday cycles are fully deployed.

For Payouts King and QEMU detection: inventory QEMU installations across enterprise endpoints — legitimate use cases are rare outside developer and virtualisation team machines. Alert on scheduled tasks named 'TPMProfiler' not tied to verified TPM management tooling, and flag execution of VM disk images from non-standard paths.

Windows zero-day BlueHammer and RedSun are being actively exploited right now with no Microsoft patch on the horizon — layer that with Storm-1175 weaponising a three-year-old Exchange deserialization flaw for Medusa ransomware, a 14-year-old VBA flaw now confirmed exploited, Payouts King making EDR blind with QEMU hypervisors, and Cisco pushing CVSS 9.9 emergency patches, and this week's threat volume is unusually high. Pick one priority and act now: patch CVE-2023-21529 on Exchange, rotate Cisco Webex SAML certificates, and deploy BlueHammer/RedSun detection logic before end of business today.