Windows Defender Zero-Days: BlueHammer, RedSun, and UnDefend Exploited in the Wild On April 17, 2026, cybersecurity researchers confirmed that three zero-day vulnerabilities in Microsoft Defender are being actively exploited by threat actors to gain elevated privileges and disrupt security defenses on Windows systems. The flaws, identified as BlueHammer, RedSun, and UnDefend, were disclosed by a researcher known as Chaotic Eclipse (also referred to as Nightmare-Eclipse) following unresolved attempts to report the issues through Microsoft’s Security Response Center. BlueHammer, tracked as CVE-2026-33825, is a local privilege escalation vulnerability that allows an unprivileged user to achieve SYSTEM-level access on fully patched Windows 10 and Windows 11 systems. The exploit was first published as a proof-of-concept on April 3, 2026, and observed in the wild by Huntress starting April 10, 2026. Microsoft addressed BlueHammer in its Patch Tuesday updates released earlier in the week of April 17, 2026, assigning it a CVSS score of 7.8 (High). RedSun and UnDefend, disclosed on April 14 and April 16, 2026 respectively, remain unpatched as of the latest reports. RedSun is another local privilege escalation flaw affecting Microsoft Defender, whereas UnDefend enables a standard user to block Defender from receiving signature updates or disable it entirely if a major update is pushed. Huntress researchers confirmed that both RedSun and UnDefend proof-of-concept exploits were used in attacks on April 16, 2026, following typical reconnaissance commands such as whoami /priv, cmdkey /list, and net group, indicating hands-on-keyboard threat actor activity. All three vulnerabilities were shared via a GitHub repository, which remains accessible despite a warning from the Microsoft-owned platform. The researcher behind the disclosures has not been publicly identified, though Huntress and other security firms have validated the exploits through analysis and telemetry. Will Dormann, a vulnerability analyst, confirmed the effectiveness of the RedSun proof-of-concept. Microsoft has not issued a public statement regarding the active exploitation of RedSun and UnDefend as of April 17, 2026. Organizations are advised to monitor for suspicious activity in user directories such as Pictures and Downloads, where attackers have been observed placing renamed exploit files to evade detection. Until patches are released, implementing application control, restricting user privileges, and maintaining up-to-date endpoint detection and response solutions are critical defensive measures. The situation underscores the ongoing risk posed by zero-day vulnerabilities in widely deployed security software and highlights the importance of coordinated disclosure processes between researchers and vendors. As of this date, only BlueHammer has received an official fix from Microsoft, leaving systems exposed to the remaining two flaws until further updates are issued.
25