Three newly disclosed zero‑day vulnerabilities in Microsoft Defender are being actively exploited in the wild, creating a high‑risk scenario for both enterprise and home Windows environments. According to incident data from Huntress, attackers are weaponizing the vulnerabilities dubbed BlueHammer, RedSun and UnDefend to escalate privileges and disrupt built‑in protection mechanisms on compromised hosts.
Who Is Behind the Microsoft Defender Zero‑Days and What They Enable
The three flaws were publicly released as zero‑day vulnerabilities by a security researcher operating under the handle Chaotic Eclipse (Nightmare‑Eclipse). The exploits were published before Microsoft had issued fixes for all of them, amid an ongoing debate in the security community about vulnerability disclosure practices and vendor response times.
BlueHammer and RedSun are both local privilege escalation (LPE) issues in Microsoft Defender. An LPE vulnerability allows an attacker who already has some level of access to a system (for example, a standard user account obtained through phishing or stolen credentials) to elevate privileges to administrator or even SYSTEM level. With that level of control, an attacker can disable security tools, deploy ransomware, install persistent backdoors and move laterally across the network.
The third vulnerability, UnDefend, does not grant direct control, but instead enables a denial of service (DoS) condition against core Defender components. By forcing failures or instability in update and protection services, attackers can effectively create a “blind spot” where malware can operate with a significantly reduced chance of detection.
BlueHammer (CVE‑2026‑33825): Active Exploitation and Available Patch
Huntress reports that real‑world exploitation of BlueHammer has been observed since 10 April 2026. This vulnerability has been assigned the identifier CVE‑2026‑33825 and was addressed by Microsoft in a recent Patch Tuesday security update release.
Despite the availability of a patch, exposure remains substantial because many organizations apply security updates with delays, driven by change‑management processes, maintenance windows or legacy update policies. As past incidents have shown, a single unpatched endpoint can provide attackers with a foothold that leads to compromise of an entire Windows domain.
Post‑Exploitation Indicators: Commands Used by Attackers
After successful exploitation of the Defender vulnerabilities, Huntress observed operators executing classic hands‑on‑keyboard commands such as whoami /priv, cmdkey /list and net group. These commands are commonly referenced in frameworks like MITRE ATT&CK as part of the discovery and credential‑access phases.
The intent behind these actions is clear: whoami /priv verifies the privileges gained, cmdkey /list searches for stored credentials that can be reused, and net group helps map out domain groups and administrative roles. In combination, this activity signals that the attacker has already breached the perimeter and is in the post‑exploitation stage, preparing for lateral movement, data theft or ransomware deployment.
RedSun and UnDefend: Exploits in the Wild, No Patches Yet
At the time of writing, RedSun and UnDefend remain unpatched zero‑days. Huntress has recorded the use of proof‑of‑concept exploits for these vulnerabilities since 16 April 2026, illustrating how quickly publicly released research code can be repurposed into operational tooling by threat actors.
RedSun, like BlueHammer, is a local privilege escalation issue within Microsoft Defender. It is particularly dangerous when combined with common initial access vectors such as phishing, exploitation of vulnerable web applications or brute‑forced remote access services. Once an attacker lands on a host with user‑level rights, RedSun can be used to escalate to high‑privilege accounts and bypass standard endpoint protections.
UnDefend takes a different approach by targeting the availability and reliability of Microsoft Defender itself. By disrupting update mechanisms or causing Defender services to enter an unstable state, adversaries can extend their dwell time, deploy additional remote‑access tools and run malicious processes with reduced risk of being blocked or quarantined.
Why Vulnerabilities in Security Tools Are Exceptionally High Risk
Endpoint protection platforms like Microsoft Defender are present on the majority of Windows systems and operate with elevated privileges. As a result, any vulnerability in such tools is automatically a high‑value target. Successful exploitation can undermine not just a single machine, but also centralized monitoring, security policies and update channels.
High‑profile incidents such as the compromise of software management and remote‑administration platforms have repeatedly demonstrated that attacks on trusted security and management infrastructure can lead to rapid, large‑scale propagation across networks. Industry reports, including Verizon’s annual Data Breach Investigations Report, consistently show that privilege escalation and abuse of trusted tools are key steps in the majority of impactful breaches.
Practical Recommendations to Protect Windows Environments
1. Prioritize urgent patching. Apply the latest Windows security updates that include the fix for CVE‑2026‑33825 (BlueHammer) across all endpoints and servers. Validate deployment using your patch‑management platform or a vulnerability scanner to identify systems that remain unpatched.
2. Enable targeted monitoring and detection. Configure security monitoring (EDR, SIEM or centralized logging) to alert on suspicious use of commands such as whoami /priv, cmdkey /list, net group and similar reconnaissance tools, as well as on unexpected Defender service restarts, repeated signature‑update failures and abrupt changes to antivirus policies.
3. Enforce least‑privilege access. Reduce local administrator rights and tightly control service accounts so that exploitation of an LPE vulnerability yields the smallest possible gain for an attacker. Regularly review group memberships, with special focus on Domain Admins and local Administrators.
4. Add layered defenses beyond Defender. Complement Microsoft Defender with EDR solutions, behavior‑based analytics and SIEM correlation to detect post‑exploitation activity even if Defender is degraded by UnDefend or similar attacks. Network segmentation and strict egress controls can further limit lateral movement.
5. Prepare incident‑response procedures. Establish clear playbooks for isolating compromised hosts, including network segmentation, temporary disconnection from critical systems and structured evidence collection. Organizations that rehearse these procedures in advance are better positioned to contain privilege‑escalation events and Defender outages.
The active exploitation of BlueHammer, RedSun and UnDefend underscores how quickly zero‑day vulnerabilities in Microsoft Defender and other security tools can be transformed into practical attack vectors. Organizations should treat Defender vulnerabilities as a priority risk category, accelerate patch deployment, strengthen monitoring and continuously refine incident‑response capabilities. Proactive attention to privilege escalation and protection‑bypass techniques significantly increases the chances of detecting intrusions early and maintaining control over Windows infrastructure in the face of evolving threats.
