Key Takeaways
- Huntress has observed active exploitation of three zero‑day vulnerabilities in Microsoft Defender: BlueHammer, RedSun, and UnDefend, disclosed by researcher Chaotic Eclipse (Nightmare‑Eclipse).
- BlueHammer (CVE‑2026‑33825) and RedSun are local privilege‑escalation (LPE) flaws; UnDefend can trigger a denial‑of‑service (DoS) condition that blocks definition updates.
- Microsoft has patched BlueHammer in the latest Patch Tuesday release, while RedSun and UnDefend remain unpatched as of the report date.
- Exploitation began with BlueHammer on April 10, 2026, followed by RedSun and UnDefend proof‑of‑concept (PoC) usage on April 16, 2026.
- Huntress noted that the attacks were preceded by typical reconnaissance commands (e.g.,
whoami /priv,cmdkey /list,net group), indicating hands‑on‑keyboard activity. - The vendor has isolated the affected organization to curb further post‑exploitation and is awaiting a response from Microsoft for additional comment.
Background on the Disclosed Vulnerabilities
The three flaws were originally published as zero‑day exploits by a researcher operating under the alias Chaotic Eclipse, also known as Nightmare‑Eclipse. The researcher released the details in protest of Microsoft’s vulnerability‑disclosure handling, labeling the bugs with codenames BlueHammer, RedSun, and UnDefend. While BlueHammer and RedSun both enable local privilege escalation within Microsoft Defender, UnDefend differs in that it can be leveraged to induce a denial‑of‑service state, effectively preventing the security product from receiving definition updates.
Technical Details of BlueHammer (CVE‑2026‑33825)
BlueHammer is tracked as CVE‑2026‑33825 and represents a local privilege‑escalation vulnerability affecting the Defender Antivirus engine. Exploitation allows an attacker with low‑privileged user access to elevate to SYSTEM level by abusing a flaw in how Defender processes certain signed binaries. Huntress confirmed that threat actors began weaponizing BlueHammer in the wild on April 10, 2026, shortly after the researcher’s public disclosure. Microsoft addressed this specific flaw in its Patch Tuesday update released earlier in the week, assigning it the CVE identifier noted above.
RedSun: Another Local Privilege‑Escalation Flaw
RedSun, unlike BlueHammer, does not yet have an assigned CVE identifier because a fix has not been released. It also constitutes an LPE vulnerability within Microsoft Defender, albeit via a different code path that involves improper handling of privileged kernel callbacks. Huntress observed the use of a RedSun proof‑of‑concept exploit starting on April 16, 2026. The exploit follows a similar pattern to BlueHammer, enabling an attacker to move from a standard user account to elevated privileges once initial access to a host is obtained.
UnDefend: Denial‑of‑Service Capability
The third flaw, UnDefend, is distinct in that its primary impact is a denial‑of‑service condition rather than privilege escalation. By triggering a specific defect in Defender’s update mechanism, an attacker can cause the service to hang or crash, thereby blocking the download and installation of new signature definitions. This leaves the system vulnerable to known malware that would otherwise be detected. Huntress noted that UnDefend PoC exploits were also seen in the wild on April 16, 2026, coinciding with the appearance of RedSun activity.
Observed Attack Timeline and Behavior
According to Huntress’s telemetry, the exploitation timeline began with BlueHammer on April 10, 2026, followed by the emergence of RedSun and UnDefend exploits six days later. The intrusions were not purely automated; instead, they were preceded by typical enumeration commands such as whoami /priv, cmdkey /list, and net group. These commands indicate that threat actors were performing hands‑on‑keyboard reconnaissance to understand the compromised host’s privileges and group membership before attempting privilege escalation or DoS actions.
Mitigation and Response Measures
In response to the observed activity, Huntress has taken steps to isolate the affected organization to prevent further lateral movement and post‑exploitation. Isolation includes network segmentation, disabling potentially compromised accounts, and applying available patches where possible. For BlueHammer, organizations should ensure they have installed the latest Patch Tuesday update that addresses CVE‑2026‑33825. For RedSun and UnDefend, mitigations currently rely on defensive best practices: limiting user privileges, enabling exploit‑protection features (such as Attack Surface Reduction rules), monitoring for anomalous enumeration commands, and maintaining up‑to‑date anti‑malware signatures through alternative channels if Defender updates are blocked.
Microsoft’s Patch Status and Outstanding Issues
As of the report date, Microsoft has released a fix only for BlueHammer via its regular Patch Tuesday cycle. The company has not yet issued patches for RedSun or UnDefend, leaving those vulnerabilities exploitable until a future update is made available. Huntress’s disclosure highlights the importance of rapid patch management, especially for zero‑day flaws that are actively being weaponized. Organizations are advised to monitor Microsoft’s security advisory portal for forthcoming updates and to consider additional layer‑ed defenses in the interim.
Industry Reaction and Ongoing Investigation
The Hacker News reached out to Microsoft for an official statement regarding the active exploitation and the patch status of the remaining vulnerabilities; at the time of writing, no response had been received. Security researchers and vendors alike are emphasizing the need for transparency in the vulnerability disclosure process, particularly when researchers feel compelled to publish zero‑day details publicly. Huntress’s findings serve as a reminder that even security products designed to protect endpoints can become attack surfaces if flaws are not promptly addressed.
Conclusion
The recent wave of attacks exploiting BlueHammer, RedSun, and UnDefend underscores the evolving threat landscape where attackers quickly transition from public disclosure to active exploitation. While a patch for BlueHammer is now available, the lack of fixes for RedSun and UnDefend necessitates heightened vigilance, proactive monitoring, and the implementation of layered security controls to defend against privilege‑escalation and denial‑of‑service tactics targeting Microsoft Defender. Organizations should prioritize patch installation, restrict user privileges, and scrutinize system logs for the telltale enumeration commands that often precede these sophisticated intrusions. By doing so, they can reduce the risk of compromise despite the current gap in vendor‑provided fixes for two of the three disclosed flaws.