WARNING: Three Microsoft Defender Zero-Days Under Active Attack As Two Remain Unpatched - LinkedIn

Attackers are actively exploiting three recently disclosed vulnerabilities affecting Microsoft Defender, raising fresh concerns over endpoint security for millions of Windows users worldwide. Security firm Huntress said threat actors have already weaponized the flaws — known publicly as BlueHammer, RedSun, and UnDefend — to escalate privileges on compromised systems and weaken built-in antivirus protections. While Microsoft has issued a patch for one of the bugs, two remain unresolved as of this weekend. The vulnerabilities target Microsoft Defender, the default antivirus and endpoint protection software integrated into Microsoft Windows operating systems and widely used across enterprises, schools, and government environments. What the Flaws Allow Attackers to Do According to researchers, both BlueHammer and RedSun are classified as local privilege escalation (LPE) vulnerabilities. That means an attacker who already has access to a machine — even with low-level permissions — can potentially use the flaws to obtain SYSTEM-level control, the highest level of privilege on Windows devices. Once SYSTEM privileges are obtained, attackers can often: Disable security tools Dump credentials Install ransomware Move laterally across networks Create persistent backdoors Tamper with logs and forensic evidence The third flaw, UnDefend, is different but still serious. Researchers say it can be used to block Defender signature updates or disrupt protections, effectively allowing malware to operate while the system’s defenses become outdated. One Patch Released, Two Bugs Still Open Earlier this week, Microsoft addressed BlueHammer during its April Patch Tuesday security rollout. The issue is now tracked as CVE-2026-33825, described as an elevation-of-privilege vulnerability in Defender. The flaw carries a CVSS score of 7.8 (High). However, no official fixes have yet been released for RedSun or UnDefend, creating a dangerous window in which public proof-of-concept exploit code exists while defenders wait for patches. That scenario is particularly concerning because publicly available exploit tools often accelerate criminal adoption. Exploitation Already Seen in the Wild Huntress said it observed active exploitation beginning April 10, with BlueHammer used first. By April 16, the company said it detected use of RedSun and UnDefend proof-of-concept tools in real-world incidents. Researchers noted the exploit attempts followed familiar attacker reconnaissance commands such as: whoami /priv cmdkey /list net group Those commands are commonly used after an intruder gains an initial foothold and begins mapping privileges, saved credentials, and administrative access opportunities. The company added that it isolated at least one impacted organization to stop further post-compromise activity. Why Defender Is an Attractive Target Because Microsoft Defender ships by default with Windows, it is installed on an enormous number of systems globally. Security analysts say vulnerabilities in such a widely deployed defensive product are especially valuable to attackers. When the security tool itself becomes the path to SYSTEM access, that’s strategically significant. Security software typically runs with elevated privileges, making flaws particularly dangerous. Controversial Public Disclosure The three exploits were reportedly published by a researcher using the aliases Chaotic Eclipse and Nightmare-Eclipse, who claimed frustration with Microsoft’s vulnerability disclosure handling. The releases reignited debate inside the security community over responsible disclosure, vendor response times, and the risks of publishing exploit code before patches are available. Some researchers argue public disclosure pressures vendors to act faster. Others warn it gives criminals ready-made attack tools. Recommended by LinkedIn Exploitation Intensifies Following New KEV Additions Loginsoft 5 months ago This week in cyber 16th January 2025 Telesoft 1 year ago New Neptune RAT targets Windows with destructive… CyberProof 1 year ago Enterprise Risk Assessment For businesses, the threat is most serious when attackers already possess: Phished credentials Malware execution on one endpoint Remote access through another vulnerability Insider access Stolen VPN sessions In those cases, privilege-escalation flaws can turn a minor intrusion into a full domain-wide compromise. Security teams should assume such bugs may be chained with initial-access techniques including phishing, malicious documents, browser exploits, or credential theft. 💡 Download The Ultimate Guide To Surviving The Post-Mythos Era What Organizations Should Do Now Recommended immediate defensive steps: 1. Patch CVE-2026-33825 Immediately Ensure all Windows systems have the latest April 2026 security updates installed. 2. Monitor Defender Health Check whether signature updates are functioning normally and whether endpoints have recently stopped receiving updates. 3. Hunt for Privilege Escalation Activity Look for suspicious use of: whoami /priv Credential dumping tools New local admin accounts Unexpected SYSTEM shells 4. Limit Local Access Use least-privilege controls to reduce opportunities for attackers already inside a machine. 5. Increase EDR Visibility Organizations using Microsoft Defender or third-party EDR tools should ensure telemetry is retained and alerts tuned for privilege abuse. Broader Trend: Security Tools Under Attack The incidents also reflect a growing trend in cybercrime: targeting security products themselves. Over the past several years, attackers have increasingly sought flaws in antivirus, VPN, backup, and remote management tools because compromising them offers stealth and elevated access. For defenders, the message is clear: trusted software can still become an attack surface. Conclusion With two Microsoft Defender flaws still lacking fixes and exploit code already circulating, expect additional copycat attacks in the coming days. Security teams are likely to watch closely for emergency mitigations or out-of-band patches from Microsoft. Until then, organizations may need to rely on rapid detection, patching discipline, and close endpoint monitoring rather than waiting for a complete vendor fix.