4 Min Read 
Microsoft Defender is under coordinated attack through three zero-day vulnerabilities that turn the security software into an attack vector. Huntress confirmed active exploitation of all three techniques including BlueHammer, RedSun and UnDefend since April 10, 2026. Microsoft patched only one. Two remain unpatched across all supported Windows versions.
The three exploits form what Vectra describes as a “layered degradation strategy”, attackers use BlueHammer or RedSun to escalate to SYSTEM privileges, then deploy UnDefend to progressively weaken endpoint protection. The researcher behind the exploits, going by Chaotic Eclipse, published all three as proof-of-concept code after claiming Microsoft’s Security Response Center ignored their coordinated disclosure attempts.
Only BlueHammer Has a Patch
Microsoft released an emergency fix for BlueHammer on April 14, assigning it CVE-2026-33825 with a CVSS score of 7.8. CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue on April 22, requiring federal agencies to patch by May 6.
BlueHammer exploits a time-of-check to time-of-use race condition in Defender’s threat remediation engine. The exploit uses opportunistic locks to pause Defender mid-operation, then redirects a SYSTEM-level file write from a temporary directory to C:\Windows\System32 allowing an attacker to overwrite system binaries and achieve SYSTEM privileges.
RedSun and UnDefend remain unpatched. RedSun abuses Defender’s cloud file rollback mechanism to achieve the same SYSTEM-level access through a different code path. UnDefend targets Defender’s update pipeline, silently blocking signature updates to degrade protection over time without triggering obvious alerts.
Russian Infrastructure Linked to Active Campaigns
Huntress observed the first BlueHammer exploitation on April 10, followed by RedSun and UnDefend usage on April 16. The attacks involved “hands-on-keyboard threat actor activity” including standard reconnaissance commands: whoami /priv, cmdkey /list and net group enumeration.
The incident involved a compromised SSL VPN connection to a FortiGate firewall. Huntress identified suspicious VPN access “including a source IP geolocated to Russia with additional suspicious infrastructure observed in other regions.” The attackers staged exploit binaries in user-writable directories, Pictures folders and Downloads subfolders, using filenames like RedSun.exe and z.exe.
This is precisely the scenario that makes government agencies nervous about zero-day disclosure without coordination. When working exploits hit public repositories, threat actors can weaponise them within days.
Fully Patched Systems Remain Exposed
The two unpatched vulnerabilities affect Windows 10, Windows 11 and Windows Server 2016-2025 with Defender enabled which covers virtually every Windows installation. Security researcher Will Dormann confirmed RedSun works on fully patched systems and ProArch notes that “fully updated systems [remain] exposed to continued exploitation until Microsoft releases remediation.”
The combination makes traditional patch management insufficient. An organisation could apply every available Windows update and still be vulnerable to privilege escalation through Defender itself.
Microsoft’s response has been measured. A spokesperson confirmed the BlueHammer patch and stated the company “supports coordinated vulnerability disclosure”, notable phrasing given the disclosure was anything but coordinated.
Detection and Mitigation Options
Apply the April 2026 Patch Tuesday updates to address BlueHammer immediately. For the two unpatched vulnerabilities, focus on behavioral detection rather than signature-based approaches, since attackers can recompile from modified source code.
Monitor for Volume Shadow Copy enumeration from non-system processes. Cyderes notes that “NtQueryDirectoryObject calls targeting HarddiskVolumeShadowCopy* from user-space processes have no legitimate use case outside of system and backup tooling.” Watch for Cloud Files sync root registration by untrusted processes.
Restrict execution from user-writable directories and enable Attack Surface Reduction rules where possible. Increase alerting for Defender tampering or abnormal remediation behavior. Monitor Defender update status closely, UnDefend can lie to management consoles, reporting Defender as healthy when signature updates are actually blocked.
References
- Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
- CISA Known Exploited Vulnerabilities Catalog — CVE-2026-33825
- Microsoft Defender Zero-Day Exploits — BlueHammer & RedSun (April 2026)
- When the Defender Becomes the Door — BlueHammer, RedSun, and UnDefend in the Wild
- Recent Microsoft Defender Vulnerability Exploited as Zero-Day
- BlueHammer, RedSun, and UnDefend — Three Windows Defender Zero-Days Exploited in the Wild
This post is also available in:
Svenska
April 9, 2026 
