A critical cybersecurity alert has been issued by security firm Huntress, revealing that three recently disclosed zero-day vulnerabilities in Microsoft Defender are actively being exploited by threat actors. Alarmingly, two of these flaws remain unpatched, leaving countless systems vulnerable to potential compromise and disruption.
The Unfolding Crisis: Three Zero-Days in Microsoft Defender
The vulnerabilities, codenamed BlueHammer, RedSun, and UnDefend, were brought to light by a researcher known as Chaotic Eclipse (also identified as Nightmare-Eclipse). This public disclosure, made in response to concerns over Microsoft’s handling of the vulnerability disclosure process, has thrust these critical flaws into the spotlight.
BlueHammer and RedSun: Paths to Privilege Escalation
Both BlueHammer and RedSun are classified as local privilege escalation (LPE) flaws. This means that an attacker who has already gained initial access to a system could exploit these vulnerabilities to elevate their privileges, potentially taking full control of the compromised machine. BlueHammer, which requires a GitHub sign-in for details, was addressed by Microsoft as part of its Patch Tuesday updates earlier this week, tracked under CVE-2026-33825. However, RedSun, a similarly dangerous LPE flaw, currently has no official fix.
UnDefend: Disrupting Essential Protections
The third vulnerability, UnDefend, presents a different but equally concerning threat. This flaw can be leveraged to trigger a denial-of-service (DoS) condition, effectively blocking critical definition updates for Microsoft Defender. In an environment where new threats emerge constantly, the inability to receive timely updates severely cripples a system’s defenses, leaving it exposed to the latest malware and attack vectors. Like RedSun, UnDefend remains unpatched at the time of writing.
Active Exploitation Confirmed by Huntress
Huntress’s investigation, detailed in a series of posts on X (formerly Twitter), confirms that all three flaws are being actively exploited in the wild. The firm observed BlueHammer being weaponized as early as April 10, 2026, with proof-of-concept (PoC) exploits for RedSun and UnDefend appearing just six days later, on April 16. The nature of these attacks suggests sophisticated, hands-on-keyboard threat actor activity, characterized by enumeration commands such as “whoami /priv,” “cmdkey /list,” and “net group,” indicating a deliberate and methodical approach to system compromise.
In response to these findings, Huntress has taken immediate action to isolate affected organizations, aiming to prevent further post-exploitation activities and mitigate ongoing risks.
Microsoft’s Stance and the Disclosure Debate
When contacted for comment, Microsoft confirmed that the BlueHammer exploit has indeed been addressed via CVE-2026-33825. A spokesperson reiterated Microsoft’s commitment to investigating reported security issues and updating impacted devices promptly. They also emphasized their support for coordinated vulnerability disclosure, a standard industry practice designed to ensure issues are thoroughly investigated and patched before public release, thereby protecting customers while engaging with the security research community.
However, the public release of these zero-days by Chaotic Eclipse highlights ongoing tensions between security researchers and vendors regarding disclosure timelines and processes. While Microsoft advocates for a coordinated approach, researchers sometimes opt for public disclosure when they feel a vendor is not acting quickly enough to address critical vulnerabilities, especially those already being exploited.
What’s Next for Microsoft Defender Users?
For users and organizations relying on Microsoft Defender, the situation underscores the critical importance of applying updates as soon as they become available. While BlueHammer has a fix, the active exploitation of RedSun and UnDefend without immediate patches means vigilance is paramount. Cybersecurity professionals are advised to monitor their systems closely for any signs of compromise and to implement additional layers of security where possible, until comprehensive fixes are rolled out for all identified flaws.
For more details, visit our website.
Source: Link
Leave a comment