Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched April 18, 2026 Threat actors are actively exploiting three recently disclosed zero-day vulnerabilities in Microsoft Defender, according to cybersecurity firm Huntress. The flaws—codenamed BlueHammer, RedSun, and UnDefend—were disclosed by a researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) in response to Microsoft’s handling of the vulnerability disclosure process. BlueHammer and RedSun are local privilege escalation (LPE) flaws impacting Microsoft Defender, while UnDefend can trigger a denial-of-service (DoS) condition and block definition updates. Microsoft addressed BlueHammer as part of its Patch Tuesday updates released earlier this week, assigning it the CVE identifier CVE-2026-33825. However, RedSun and UnDefend remain unpatched as of this writing. Huntress reported observing all three flaws exploited in the wild, with BlueHammer weaponized since April 10, 2026, followed by the leverage of RedSun and UnDefend proof-of-concept (PoC) exploits on April 16. These invocations followed typical enumeration commands such as whoami /priv, cmdkey /list, and net group, indicating hands-on-keyboard threat actor activity. The BlueHammer exploit abuses the interaction between Microsoft Defender’s update workflow, Volume Shadow Copy Service, the Windows Cloud Files API, and opportunistic locks—legitimate, documented Windows features—to escalate a low-privileged user to NT AUTHORITYSYSTEM without requiring kernel bugs, memory corruption, or code execution inside Defender. Huntress stated it has taken steps to isolate affected organizations to prevent further post-exploitation activity. The Hacker News has reached out to Microsoft for comment and will update the story if a response is received. Key Takeaways – Three zero-day vulnerabilities in Microsoft Defender—BlueHammer, RedSun, and UnDefend—are actively exploited in the wild. – BlueHammer (CVE-2026-33825) has been patched in Microsoft’s latest Patch Tuesday update; RedSun and UnDefend remain unpatched. – The exploits allow threat actors to escalate privileges or disrupt defense updates using legitimate Windows features. – Huntress observed BlueHammer exploitation beginning April 10, 2026, with RedSun and UnDefend PoCs used on April 16. – Organizations should monitor for anomalous enumeration commands and apply available patches immediately. Sources [1] The Hacker News: Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched [2] Cyderes: BlueHammer: Inside the Windows Zero-Day [3] Picus Security: BlueHammer & RedSun: Windows Defender CVE-2026-33825 Zero-day Vulnerability Explained [4] Socradar: BlueHammer Windows Zero-Day: Privilege Escalation Risk
36