Three Microsoft Defender Zero-Day Vulnerabilities Are Being Actively Exploited, With Two Still Remaining Unpatched

Ongoing Exploitation Campaigns Highlight Serious Risks in Endpoint Protection and Privilege Escalation Defenses

Security researchers have identified three actively exploited zero-day vulnerabilities affecting Microsoft Defender, raising serious concerns for endpoint security.

These vulnerabilities—named BlueHammer, RedSun, and UnDefend—are already being used by threat actors in real-world attacks.

While one flaw has been patched, two vulnerabilities remain unaddressed, leaving systems exposed to continued exploitation.

VULNERABILITY OVERVIEW

Key Zero-Day Flaws

• BlueHammer (CVE-2026-33825)
  • Type: Local Privilege Escalation (LPE)
  • Status: Patched
  • Risk: Allows attackers to gain elevated system privileges
• RedSun
  • Type: Local Privilege Escalation (LPE)
  • Status: Unpatched
  • Risk: Enables privilege escalation after initial access
• UnDefend
  • Type: Denial-of-Service (DoS)
  • Status: Unpatched
  • Risk: Blocks Defender updates, weakening security posture

ACTIVE EXPLOITATION

Real-World Attack Activity

Security researchers observed that all three vulnerabilities are already being exploited in the wild:

• BlueHammer exploitation began around April 10, 2026
• RedSun and UnDefend followed shortly after with proof-of-concept (PoC) usage

Attackers are leveraging these flaws during post-compromise phases to strengthen their control over infected systems.

ATTACK BEHAVIOR

Indicators of Hands-On-Keyboard Activity

Observed attack patterns include execution of common reconnaissance and privilege-check commands such as:

• whoami /priv
• cmdkey /list
• net group

These commands indicate that attackers already have initial access and are actively escalating privileges and exploring the environment.

WHY THIS IS CRITICAL

Endpoint Security Being Turned Against Itself

These vulnerabilities directly affect a core security tool, which makes the risk significantly higher.

As a result, attackers can:

• Escalate privileges within the system
• Disable or weaken security protections
• Maintain persistence without detection

Patch Gap Increases Exposure

Although BlueHammer has been patched, the lack of fixes for RedSun and UnDefend creates a dangerous window of opportunity.

Therefore, organizations remain vulnerable even if they apply the latest updates.

POTENTIAL IMPACT

• Privilege Escalation: Full administrative control of systems
• Defense Evasion: Blocking antivirus updates and protections
• Post-Exploitation Expansion: Easier lateral movement across networks

RECOMMENDED ACTIONS

Immediate Security Measures

• Apply the latest updates addressing CVE-2026-33825
• Monitor systems for unusual privilege escalation activity
• Detect execution of reconnaissance commands
• Restrict administrative privileges wherever possible

Detection & Monitoring

• Watch for abnormal Defender behavior (e.g., update failures)
• Monitor command-line activity linked to privilege enumeration
• Use EDR/XDR tools to identify suspicious post-exploitation actions

KEY TAKEAWAY

These vulnerabilities demonstrate a critical shift in attacker strategy:

➡️ Instead of bypassing security tools, attackers are exploiting them directly

With active exploitation already underway and incomplete patch coverage, organizations must rely on continuous monitoring and layered defenses to reduce risk.