Key Findings

• Three Microsoft Defender zero-day vulnerabilities are being actively exploited in the wild by threat actors

• BlueHammer (CVE-2026-33825) has been patched as of April Patch Tuesday; RedSun and UnDefend remain unpatched

• All three flaws were released by researcher Chaotic Eclipse in response to Microsoft's vulnerability disclosure handling

• BlueHammer and RedSun enable local privilege escalation while UnDefend causes denial-of-service and blocks security definition updates

• Exploitation began April 10 with BlueHammer, followed by RedSun and UnDefend proof-of-concept use on April 16

Background

Security researchers and threat actors have discovered a coordinated set of vulnerabilities affecting Microsoft Defender, the built-in antivirus and security solution used across millions of Windows systems worldwide. These flaws were disclosed as zero-days by a researcher known as Chaotic Eclipse following what the researcher viewed as inadequate handling by Microsoft during the vulnerability disclosure process. The disclosure triggered immediate real-world attacks, signaling that threat actors were quick to weaponize the published exploits.

BlueHammer Local Privilege Escalation

CVE-2026-33825, codenamed BlueHammer, is a local privilege escalation flaw in Microsoft Defender that allows attackers to gain system-level access on compromised machines. Microsoft addressed this vulnerability in its April Patch Tuesday update, making it the only flaw among the three to receive an official fix. However, the vulnerability had already been exploited since April 10, giving threat actors a window to conduct attacks before the patch became available.

RedSun and UnDefend Remain Unpatched

Two critical vulnerabilities, RedSun and UnDefend, currently lack official patches from Microsoft. RedSun functions as another local privilege escalation flaw in Microsoft Defender, while UnDefend takes a different approach by triggering denial-of-service conditions and preventing security definition updates from being installed. This dual capability makes UnDefend particularly dangerous as it can both disable active protection and prevent systems from receiving updated malware signatures.

Active Exploitation in the Wild

Huntress observed all three vulnerabilities being exploited in actual attacks beginning mid-April. The threat actor activity followed standard reconnaissance patterns, with attackers executing enumeration commands like whoami /priv, cmdkey /list, and net group before attempting exploitation. This hands-on-keyboard activity indicates sophisticated threat actors conducting targeted campaigns rather than automated mass exploitation. Huntress took steps to isolate affected organizations to prevent further post-exploitation activities.

Sources

• https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html

• https://www.infosecurity-magazine.com/news/microsoft-two-zerodays-april-patch/