Threat actors are actively exploiting three zero‑day vulnerabilities in Microsoft Defender to obtain elevated privileges on compromised Windows systems, according to recent disclosures by security researchers. The flaws nicknamed BlueHammer, RedSun, and UnDefend were publicly revealed by an independent researcher operating under the alias Chaotic Eclipse, who also criticized Microsoft’s response to the initial reports.
Following the disclosure, Chaotic Eclipse released public proof‑of‑concept (PoC) exploit code, including working demonstrations for vulnerabilities that remain unpatched. The disclosure significantly lowered the barrier to exploitation, enabling other threat actors to rapidly weaponize the flaws.
Overview of the Vulnerabilities
The three vulnerabilities impact Microsoft Defender in different ways:
- BlueHammer and RedSun are local privilege‑escalation flaws that allow attackers who already have limited access to a system to elevate their permissions by abusing Defender components.
- UnDefend, while not granting elevated privileges directly, causes a denial‑of‑service condition by preventing security definition updates. This effectively weakens Microsoft Defender’s ability to detect threats, leaving affected systems more vulnerable to follow‑on attacks.
As of now, only BlueHammer has been patched by Microsoft. The vulnerability was assigned CVE‑2026‑33825. RedSun and UnDefend remain unpatched, leaving systems exposed despite public awareness and active exploitation.
Evidence of Active Exploitation
Researchers at Huntress confirmed that all three vulnerabilities have been exploited in real‑world attacks. While the identity of both the attackers and victims has not been publicly disclosed, telemetry data indicates that malicious actors moved quickly to take advantage of the publicly available exploit code.
According to Huntress, exploitation activity began shortly after the PoC code was published:
- BlueHammer was first observed being exploited on April 10, 2026
- RedSun and UnDefend began appearing in attack chains on April 16, 2026, shortly after additional exploit examples were released
This pattern strongly suggests that threat actors are leveraging the public exploit materials released by Chaotic Eclipse, rather than independently discovering the flaws.
Security Implications
The rapid adoption of these exploits highlights a recurring trend in modern threat activity: once exploit code is made public, even highly complex vulnerabilities can be quickly operationalized. Privilege‑escalation exploits are particularly valuable to attackers because they allow malware to escape sandbox restrictions, disable security controls, persist across reboots, and move laterally within enterprise environments.
The presence of an unpatched Defender‑related denial‑of‑service flaw further amplifies the risk. By blocking security definition updates, attackers can intentionally degrade endpoint protection before deploying additional payloads, increasing the likelihood of successful compromise.
Broader Takeaway
This incident underscores the narrow window defenders have between public disclosure and widespread exploitation, especially when proof‑of‑concept code is released before patches are available. It also raises concerns around vulnerability coordination and patch timelines for security‑critical components like Microsoft Defender.
Organizations relying on Microsoft Defender are advised to:
- Ensure the BlueHammer patch is applied immediately
- Closely monitor Defender behavior and update mechanisms
- Implement additional endpoint hardening and detection controls until remaining flaws are fixed
Until RedSun and UnDefend are remediated, systems remain at heightened risk of privilege escalation and security degradation attacks.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
