20.04.2026
3 min
179
Researchers warn that three critical zero-day vulnerabilities in Microsoft Defender are being actively exploited by hackers, with two of them still unpatched, posing a serious threat to millions of systems.
The Huntress organization stated that hackers are using three newly identified vulnerabilities in Microsoft Defender to obtain elevated access on compromised machines.
There are flaws referred to as BlueHammer (local privilege escalation), RedSun (local privilege escalation), and UnDefend (denial of service). All three were published as zero-day bugs by a bug hunter going by the name of Chaotic Eclipse (Nightmare-Eclipse) because he was dissatisfied with how Microsoft was responding to the bug discovery/fixing process.
BlueHammer and RedSun both provide a mechanism to locally elevate the privilege level of an attacker while UnDefend provides a method to create a Denial of Service and prevent or block Antivirus signature updates from occurring.
One of the vulnerabilities has already been fixed by Microsoft. That vulnerability is BlueHammer. It was patched in the April Patch Tuesday as CVE-2026-33825. At the time of this writing, RedSun and UnDefend still had no patches available.
Huntress noted that all three of the above mentioned vulnerabilities have already been used in actual hacking attempts. The first evidence of use occurred on April 10th, 2026, when BlueHammer began being exploited. The first proof-of-concepts for RedSun and UnDefend became available on April 16th, 2026.
Typical commands were run to collect additional data about the compromised machine once the exploitation of the vulnerabilities occurred. These included: whoami /priv; cmdkey /list; and net group. This clearly shows that there was manual activity performed by the hacker(s) post-compromise.
Additionally, Huntress was successful in isolating one of the compromised organizations so that they could limit further propagation of the exploit.”
