Kaleth4 Dropped Six Critical PoCs in 72 Hours. The Active Directory RCE Is the One That Matters.

We've published two posts in the last 36 hours about a researcher going by kaleth4 — first the BlueHammer / Chaotic Eclipse Defender attack family, then the Windows TCP/IP unauthenticated RCE that nobody is talking about we covered earlier today. Both of those posts characterized kaleth4's output as 2-3 high-severity CVE PoCs in a tight window.

We were undercounting. When we mined kaleth4's GitHub account directly, the actual disclosure cadence is more aggressive and more dangerous than we originally surfaced. Six critical CVE PoCs in seventy-two hours, between April 21 and April 23, plus an OpenClaw authorization bypass. The Active Directory RCE is the one that matters most and the one nobody is talking about.

Here is the full inventory.

CVE-2026-33824 — Windows IKE Double-Free Remote Code Execution. CVSS 9.8. Unauthenticated. Published April 21. The vulnerability is a CWE-415 Double-Free in the Internet Key Exchange protocol implementation that drives Windows IPSec. An unauthenticated remote attacker sends carefully crafted IKE packets to a Windows system running IPSec listeners, wins the memory-corruption race, and executes arbitrary code with SYSTEM privileges. This is a sibling vulnerability to CVE-2026-33827 — same attack surface family (network-reachable Windows kernel RCE on IPSec-enabled systems), different bug class (Double-Free vs TOCTOU race). If you have IPSec enabled, both are exposed.

CVE-2026-33825 — Windows Defender BlueHammer LPE. CVSS 7.8. Local privilege escalation. Published April 22. We covered this in detail in our BlueHammer post yesterday — the TOCTOU race in Defender's malware cleanup engine that escalates a low-privileged user to SYSTEM. CISA added it to KEV April 22. It is the smallest CVE in the kaleth4 inventory.

CVE-2026-33826 — Windows Active Directory Domain Services Remote Code Execution via Kerberos/RPC. CVSS 9.8. Unauthenticated. THE HEADLINE. Published April 22. This is the one that gets published on a Tuesday and starts incident response postmortems on a Friday. The vulnerability is in how AD DS handles malformed authentication requests over Kerberos and RPC. An unauthenticated attacker sends a specially crafted authentication request to a domain controller, achieves remote code execution as SYSTEM on the DC. Active Directory Domain Services is the identity backbone for roughly 95% of enterprises — when you compromise the DC, you compromise the realm. Wormable-class vulnerability. NotPetya was an SMB-class kernel RCE that pivoted laterally on AD; this is an AD-class kernel RCE with no SMB pivot required because the target IS the identity layer. We have not yet seen this CVE on CISA KEV, which means federal agencies do not have a hard patch deadline yet. That gap closes any day now.

CVE-2026-33827 — Windows TCP/IP Remote Code Execution. CVSS 8.1. Unauthenticated. Published April 22. The vulnerability we covered earlier today in Microsoft Patched an Unauth Windows TCP/IP RCE. TOCTOU race in tcpip.sys triggered by IPv6 packets when IPSec is enabled. Same target population as CVE-2026-33824 — Windows + IPSec — but a different bug.

CVE-2026-20180 — Cisco Identity Services Engine RCE. Published April 21. Cisco ISE is the network access control and identity policy engine that enforces who can connect to enterprise networks. Compromising ISE means compromising the network's enrollment authority — the system that decides which devices and users get on which VLANs. This is not in kaleth4's headline-grabbing tier the way the AD CVE is, but for any organization that runs Cisco ISE in production, it is a tier-one priority.

CVE-2026-41303 — OpenClaw Discord Bot Authorization Bypass. CVSS 8.8. Published April 23. The OpenClaw bug we noted in passing in earlier posts — a Discord-bot authorization flaw in the OpenClaw project's command-approval workflow. Smaller blast radius than the others, but it adds to the proving-period output.

That is six CVE PoCs by one author in seventy-two hours.

The pattern this represents.

In our Dark-Market Lifecycle post earlier today we placed kaleth4 in trust-building phase and noted the proving-period work was aggressive. We were correct on the phase but undercounting the aggression. Six high-severity disclosures in three days is not "aggressive" — it is a coordinated proving-period content drop, aimed at establishing rapid technical-credibility mass.

Two interpretations are consistent with the public data, and we should hold both with appropriate uncertainty.

Interpretation one. kaleth4 is a Spanish-speaking security researcher who has been working on a stash of Windows kernel and identity-plane vulnerabilities, and chose to publish the entire stash as a coordinated drop in April for portfolio-building or career-positioning reasons. The supporting evidence: kaleth4's GitHub account also hosts thirty-some other repos focused on penetration testing tooling, Active Directory hacking guides, CTF content in Spanish, and red-team training materials. The CVE PoCs are part of a broader content production stream consistent with someone building a public security-trainer brand.

Interpretation two. kaleth4 is the public-facing identity of a deeper offensive-security operation that is publishing PoCs for a tactical reason — to commoditize the underlying vulnerabilities so that detection vendors race to ship signatures, which signals to operational adversaries which CVEs are now hot and which are not yet hot. The supporting evidence: the CVE numbers cluster (CVE-2026-33824, 33825, 33826, 33827 are all in a four-CVE range that suggests the researcher had advance access to Microsoft's CVE-numbering pipeline or coordinated disclosure with MSRC), and the publication tempo is faster than a single human researcher would normally choose unless there were external timing pressure.

We do not assert which interpretation is correct. We assert both deserve attention and that the patches need to be deployed regardless of attribution.

What every defender should do this week.

The two unauthenticated Windows kernel RCEs — CVE-2026-33824 (IKE Double-Free) and CVE-2026-33827 (TCP/IP race) — both target IPSec-enabled Windows systems. Disable IPSec on systems that don't need it. Patch every system that does. Block IPv6 IPSec traffic at perimeter for systems that cannot be patched immediately.

The Active Directory RCE — CVE-2026-33826 — is the one that matters most. Patch every domain controller on your estate within seventy-two hours. If you cannot patch within seventy-two hours, prepare for the alternative — which involves your incident response retainer, your cyber insurance carrier, and your communications team.

The Cisco ISE RCE — CVE-2026-20180 — is a tier-one priority for any organization running ISE in production. Cisco's advisory has the patch matrix.

For threat hunting, the kaleth4 GitHub account at github.com/kaleth4 is now in our daily watch. Any new CVE PoC that surfaces there gets indexed in our STIX feed within hours and we will publish updates as they appear. The detection community at github.com/Letlaka/redsun-bluehammer-undefend-detection-pack is also being watched, alongside community detection rules surfacing on Bilal3755/Detecting_blue_hammer_vuln. If you operate Microsoft Defender XDR and have engineering capacity to load community KQL, those repositories are your fastest path to detection coverage on the family.

The forecast we commit to.

Within seven days, at least one of the kaleth4-published CVEs in the 33824-33827 cluster will be added to CISA KEV with a federal patch deadline shorter than thirty days. We assess this at 80% probability. We commit to publishing a resolution post within 48 hours of any KEV addition for these CVEs, and a final resolution post on May 4. The Cisco ISE CVE we put at 35% probability of KEV addition in the same window — Cisco-specific federal patching tends to escalate faster than Microsoft Windows-class CVEs because federal agencies run Cisco ISE in IT/OT segmentation roles where the consequence of compromise is concrete.

Why we publish this kind of analysis.

Six critical CVE PoCs from one author in three days is the kind of pattern that gets discussed quietly inside SOC chat channels for a week before any major outlet picks it up. The vendors all have it on their internal radar. None of them publish it to their customers in this consolidated form because publishing means committing to a forecast that can be wrong. We publish because committing to a public forecast is more valuable to defenders than waiting for the post-incident retrospective. Our Kalshi-style predictions discipline holds — we will be wrong on some of these calls, and we publish the resolution posts when each fires. Right now, the inventory is in front of you.

Sources: kaleth4 GitHub repos for CVE-2026-20180, CVE-2026-33824, CVE-2026-33825, CVE-2026-33826, CVE-2026-33827, CVE-2026-41303 — published April 21-23 2026; NVD/NIST CVE database entries; Letlaka/redsun-bluehammer-undefend-detection-pack and Bilal3755/Detecting_blue_hammer_vuln community detection repositories; CISA KEV catalog as of April 27.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com