On April 17, 2026, Huntress Labs confirmed that threat actors are actively exploiting three zero-day vulnerabilities in Microsoft Defender, with two remaining unpatched despite patches being issued for one. The flaws—codenamed BlueHammer, RedSun, and UnDefend—were disclosed as proof-of-concept exploits by a researcher operating under the aliases Chaotic Eclipse and Nightmare-Eclipse, who cited frustration with Microsoft’s Security Response Center as motivation for the public release.
BlueHammer and RedSun are local privilege escalation flaws within Microsoft Defender that allow attackers to gain SYSTEM-level access on Windows 10, Windows 11, and Windows Server 2019 and later systems. UnDefend, the third vulnerability, enables a standard user to block Microsoft Defender from receiving signature updates, effectively disabling protection without requiring elevated privileges.
According to Huntress, the BlueHammer exploit has been observed in the wild since April 10, 2026. The RedSun and UnDefend exploits were detected on April 16 on a compromised system accessed via a breached SSLVPN user account. Huntress noted that the activity followed typical enumeration commands such as whoami /priv, cmdkey /list, and net group, indicating hands-on-keyboard threat actor behavior.
The researcher behind the exploits claims that Windows Defender’s handling of files with a “cloud tag” creates a race condition that can be abused to overwrite system files. By using the Cloud Files API to write a file and then exploiting a timing window with shadow copies, an attacker can place malicious code in the Windows system directory, thereby escalating privileges to SYSTEM. Security researcher Will Dormann confirmed the effectiveness of the RedSun exploit through independent testing and analysis on Mastodon.
Microsoft addressed BlueHammer in its April 2026 Patch Tuesday updates, assigning it the CVE identifier CVE-2026-33825. Still, as of April 17, no patches have been released for RedSun or UnDefend. Heise Online confirmed that RedSun remains effective even on fully patched Windows 10 and 11 systems, underscoring the absence of a mitigation.
The researcher alleges that Microsoft was aware of an impending public disclosure after a prior disclosure attempt was dismissed, yet took no action to coordinate a fix. In response to inquiries, a Microsoft spokesperson reiterated the company’s support for coordinated vulnerability disclosure and its commitment to investigating reported issues, though no specific timeline for patches to the remaining flaws was provided.
The situation highlights a growing tension between independent security researchers and corporate vulnerability response programs, particularly when researchers perceive institutional indifference or retaliation. By releasing exploit code publicly, the researcher aims to pressure Microsoft into faster action—a tactic that carries significant risk to finish users while underscoring systemic challenges in responsible disclosure.
How the exploits bypass Defender’s protections
The attacker uses the Cloud Files API to create a file with a cloud tag, which triggers Defender to rewrite it to its original location. By winning a race condition against shadow copy operations, the exploit replaces the file with malicious code in a protected system directory, allowing privilege escalation to SYSTEM without triggering traditional defenses.
Why the researcher went public with exploit code
The researcher states that prior attempts to report the vulnerabilities through Microsoft’s Security Response Center were ignored or met with hostility, leading to the decision to publish proof-of-concept code as a form of protest to force accountability and prompt action.
What systems are affected by the RedSun and UnDefend exploits?
RedSun affects Windows 10, Windows 11, and Windows Server 2019 and later systems when Windows Defender is enabled. UnDefend can be exploited by a standard user on any system running Microsoft Defender to block definition updates, regardless of patch level.
Has Microsoft issued patches for all three vulnerabilities?
Microsoft has patched BlueHammer as part of its April 2026 security updates (tracked as CVE-2026-33825), but no patches are currently available for RedSun or UnDefend as of April 17, 2026.