Microsoft Defender is facing a crisis as three zero-day exploits (BlueHammer, RedSun, UnDefend) are being weaponized in the wild. While one is patched, two remain unpatched and deadly for endpoint security.
Zero-Day Alert for Sysadmins and Pentesters!
Huntress researchers have confirmed that threat actors are actively exploiting three critical flaws in Microsoft Defender to escalate privileges and disable security updates. These exploits were leaked as zero-days by a researcher known as Chaotic Eclipse (Nightmare-Eclipse) following a dispute with Microsoft's disclosure process.
The 'Unholy Trinity' of Exploits:
* BlueHammer (CVE-2026-33825): A Local Privilege Escalation (LPE) flaw. Patched in the latest Tuesday updates, but still effective on unpatched systems.
* RedSun: Another LPE vulnerability. STATUS: UNPATCHED. This allows attackers to gain SYSTEM level access once they have a foothold.
* UnDefend: A Denial-of-Service (DoS) exploit that blocks Microsoft Defender from receiving definition updates, leaving the system blind to new threats. STATUS: UNPATCHED.
Observed Activity:
Security logs show that attackers are using these flaws immediately after basic enumeration commands like whoami /priv and net group. The exploits have been seen in hands-on-keyboard attacks since April 10, 2026.
Why this matters:
Since two of these flaws are still unpatched, Microsoft Defender can be effectively neutralized or bypassed on fully updated machines if the attacker has local access.
Source: Security Research / Huntress Analysis
What do you think? Is Microsoft's 'Coordinated Disclosure' failing researchers?
Huntress researchers have confirmed that threat actors are actively exploiting three critical flaws in Microsoft Defender to escalate privileges and disable security updates. These exploits were leaked as zero-days by a researcher known as Chaotic Eclipse (Nightmare-Eclipse) following a dispute with Microsoft's disclosure process.
The 'Unholy Trinity' of Exploits:
* BlueHammer (CVE-2026-33825): A Local Privilege Escalation (LPE) flaw. Patched in the latest Tuesday updates, but still effective on unpatched systems.
* RedSun: Another LPE vulnerability. STATUS: UNPATCHED. This allows attackers to gain SYSTEM level access once they have a foothold.
* UnDefend: A Denial-of-Service (DoS) exploit that blocks Microsoft Defender from receiving definition updates, leaving the system blind to new threats. STATUS: UNPATCHED.
Observed Activity:
Security logs show that attackers are using these flaws immediately after basic enumeration commands like whoami /priv and net group. The exploits have been seen in hands-on-keyboard attacks since April 10, 2026.
Why this matters:
Since two of these flaws are still unpatched, Microsoft Defender can be effectively neutralized or bypassed on fully updated machines if the attacker has local access.
Source: Security Research / Huntress Analysis
What do you think? Is Microsoft's 'Coordinated Disclosure' failing researchers?
TAGS:
#ZeroDay
#MicrosoftDefender
SHARE: