Three Exploited Microsoft Defender Zero‑Days Leave Two Critical Flaws Unpatched

Key Takeaways

• Three recently disclosed flaws in Microsoft Defender—BlueHammer (CVE‑2026‑33825), RedSun, and UnDefend—are being actively exploited in the wild.
• BlueHammer and RedSun are local privilege‑escalation vulnerabilities that let low‑privilege attackers gain SYSTEM‑level control; UnDefend can block Defender signature updates, weakening defenses.
• Microsoft has released a patch only for BlueHammer; RedSun and UnDefend remain unpatched, creating a dangerous window for attackers who already possess public proof‑of‑concept exploit code.
• Huntress observed exploitation starting April 10, with attackers using typical reconnaissance commands (whoami /priv, cmdkey /list, net group) after gaining an initial foothold.
• Because Defender ships by default on virtually all Windows systems, compromising it provides attackers with stealth, elevated privileges, and a foothold for lateral movement, credential theft, ransomware deployment, and evidence tampering.
• The public release of the exploits by researchers using the aliases Chaotic Eclipse and Nightmare‑Eclipse has reignited debate over responsible disclosure versus the risk of arming criminals.
• Organizations should apply the available BlueHammer patch immediately, monitor Defender health, hunt for privilege‑escalation activity, enforce least‑privilege controls, and boost EDR visibility while awaiting fixes for the remaining flaws.
• The incidents underscore a broader trend: cybercriminals increasingly target security products themselves to gain trusted, high‑privilege access.

Overview of the Threat Landscape
Security firm Huntress has reported that threat actors are actively weaponizing three newly disclosed vulnerabilities affecting Microsoft Defender, the built‑in antivirus and endpoint protection platform that ships with every Windows installation. Dubbed BlueHammer, RedSun, and UnDefend, the flaws enable attackers to escalate privileges, disable security controls, and hinder Defender’s ability to stay current with threat signatures. While Microsoft addressed BlueHammer in its April 2026 Patch Tuesday release, RedSun and UnDefend remain unpatched, leaving a considerable exposure window for organizations worldwide.

What the Flaws Allow Attackers to Do
BlueHammer and RedSun are classified as local privilege‑escalation (LPE) vulnerabilities. An attacker who already possesses any user‑level access—whether through phishing, malware, or stolen credentials—can leverage these bugs to obtain SYSTEM‑level privileges, the highest authority on a Windows host. Once at SYSTEM, the adversary can disable Defender and other security tools, dump password hashes or plaintext credentials, install ransomware, move laterally across the network, create persistent backdoors, and tamper with logs to obscure forensic evidence. UnDefend operates differently but is equally damaging: it can block Defender signature updates or disrupt real‑time protection, allowing malware to run unimpeded while the defender’s defenses become outdated.

One Patch Released, Two Bugs Still Open
During the April 2026 Patch Tuesday cycle, Microsoft issued a fix for BlueHammer, now tracked as CVE‑2026‑33825, rated “High” with a CVSS score of 7.8. The patch addresses an elevation‑of‑privilege flaw within Defender’s core engine. However, as of the weekend following the release, no official mitigations have been published for RedSun or UnDefend. Public proof‑of‑concept exploit code for both vulnerabilities is already circulating, meaning that attackers can readily weaponize the flaws while defenders wait for vendor‑supplied patches. This gap is particularly concerning because publicly available exploit tools often accelerate adoption by crime‑as‑a‑service groups and less‑sophisticated threat actors.

Exploitation Already Seen in the Wild
Huntress began detecting active exploitation on April 10, with BlueHammer being the first observed vector. By April 16, the firm noted the appearance of RedSun and UnDefend proof‑of‑concept tools in real‑world incidents. The attack sequences typically began with standard reconnaissance commands after an initial foothold was established:

• whoami /priv – to enumerate current privileges,
• cmdkey /list – to view stored credentials,
• net group – to identify administrative groups and potential lateral‑movement targets.

These commands indicate that attackers were mapping the compromised host’s privilege landscape before attempting to escalate via the Defender flaws. Huntress isolated at least one affected organization to prevent further post‑compromise activity, highlighting the immediate need for detection and containment capabilities.

Why Defender Is an Attractive Target
Microsoft Defender’s universal presence makes it a high‑value target. Because it is installed by default on every Windows 10 and Windows 11 device—spanning enterprises, schools, government agencies, and home users—any vulnerability in Defender instantly affects a massive attack surface. Security software traditionally runs with elevated privileges to monitor and protect the system; consequently, flaws in such products grant attackers direct access to the highest authority levels without needing additional privilege‑escalation steps. When Defender itself becomes the gateway to SYSTEM access, attackers gain a stealthy, trusted platform from which they can launch broader campaigns, evade detection, and persist across reboots.

Controversial Public Disclosure
The three exploits were released by researchers using the pseudonyms Chaotic Eclipse and Nightmare‑Eclipse, who expressed frustration with Microsoft’s handling of vulnerability reports. Their public disclosure has reignited a long‑standing debate within the security community: does releasing exploit code before a patch forces vendors to accelerate fixes, or does it simply arm criminals with ready‑made weapons? Proponents of responsible disclosure argue that coordinated, timed releases protect users while still applying pressure; opponents warn that early public exposure lowers the barrier for exploitation, especially when patches are delayed or unavailable.

Enterprise Risk Assessment
For organizations, the risk is most acute when attackers already possess any of the following initial‑access vectors: phished credentials, malware execution on a single endpoint, remote access via another vulnerability, insider threats, or stolen VPN sessions. In such scenarios, a privilege‑escalation flaw like BlueHammer or RedSun can transform a limited compromise into a full domain‑wide takeover, enabling attackers to harvest domain admin hashes, deploy ransomware at scale, or establish persistent footholds for espionage. Security teams should therefore assume that these Defender bugs may be chained with common initial‑access tactics such as phishing emails, malicious documents, browser zero‑days, or credential‑theft malware, and prioritize detection of the associated post‑exploitation behaviors.

What Organizations Should Do Now
Immediate defensive actions can mitigate the threat while awaiting patches for RedSun and UnDefend:

1. Patch CVE‑2026‑33825 Immediately – Deploy the April 2026 security update to all Windows systems; verify installation via WSUS, Configuration Manager, or Intune.
2. Monitor Defender Health – Confirm that signature updates are succeeding and that endpoints have not stopped receiving updates; anomalous silence may indicate UnDefend activity.
3. Hunt for Privilege‑Escalation Activity – Search logs for suspicious use of whoami /priv, known credential‑dumping tools (e.g., Mimikatz, LaZagne), creation of new local admin accounts, or unexpected SYSTEM‑level shells.
4. Limit Local Access – Enforce least‑privilege principles: remove unnecessary local admin rights, apply Just‑In‑Time elevation, and use hardened service accounts.
5. Increase EDR Visibility – Ensure that telemetry from Microsoft Defender for Endpoint or any third‑party EDR solution is retained, and create alerts for privilege‑abuse patterns, unauthorized driver loads, and changes to Defender configuration.

These steps combine patch management, vigilant monitoring, and proactive threat hunting to reduce the likelihood of successful exploitation.

Broader Trend: Security Tools Under Attack
The targeting of Microsoft Defender reflects a wider shift in cyber‑criminal tactics: rather than solely attacking applications or operating systems, adversaries increasingly seek vulnerabilities in security products themselves. Antivirus engines, VPN clients, backup solutions, and remote‑management tools are prized because compromising them provides stealth, persistent elevated access, and the ability to blunt defensive controls. Over the past several years, high‑profile flaws in products such as Fortinet VPN, SolarWinds Orion, and various endpoint protection platforms have been exploited to great effect. For defenders, the lesson is clear: trust in any software—no matter how security‑focused—must be continually validated through patching, configuration hardening, and behavioral analytics.

Conclusion
With two critical Defender flaws still unpatched and exploit code readily available, the window for opportunistic attacks remains open. Security teams should anticipate additional copycat activity in the coming days and remain alert for emergency mitigations or out‑of‑band patches from Microsoft. Until a complete vendor fix is delivered, reliance on rapid detection, disciplined patching, and vigilant endpoint monitoring will be essential to protect Windows environments from privilege‑escalation abuse and the downstream consequences that follow.