Three Microsoft Defender Zero-days Reported Exploited

Threat summary

Over the month of April 2026, three distinct flaws affecting Microsoft Defender Antivirus were publicly disclosed, and researchers are now observing active exploitation. The flaws, dubbed BlueHammer, RedSun, and UnDefend, target Microsoft Defender, which is included with Windows 10, Windows 11, and Windows Server 2019 and later.

This activity follows Microsoft’s April 2026 Patch Tuesday release, which addressed one of these issues, as detailed in Field Effect’s earlier analysis of CVE‑2026‑33825 (BlueHammer).

The most recent reporting indicates real‑world exploitation of all three flaws. BlueHammer exploitation began on April 10, 2026, with RedSun and UnDefend observed in use by April 16, 2026. The reported incidents involved interactive, hands‑on‑keyboard activity by threat actors after initial access was obtained through other means, including compromised SSL-VPN credentials.

Proof‑of‑concept (POC) exploit code for all three flaws was published publicly by a security researcher operating under the aliases Chaotic Eclipse and Nightmare‑Eclipse. The code was released without corresponding vendor fixes in place. Security vendors and independent researchers subsequently confirmed that the exploits function as described and have been used in live intrusions.

BlueHammer is the only flaw that has been formally assigned a Common Vulnerability Enumeration identifier, CVE‑2026‑33825.

RedSun is a second local privilege escalation flaw that remains unpatched as of April 17, 2026. It exploits how Microsoft Defender handles cloud‑tagged files by combining legitimate Windows features, including the Cloud Files Application Programming Interface, opportunistic file locks, Volume Shadow Copy coordination, and directory junctions. This behavior allows Defender, running with SYSTEM privileges, to overwrite protected system files and execute attacker‑controlled code on fully patched systems.

UnDefend is the third flaw and targets Microsoft Defender’s update mechanism. It allows a local user to block or disrupt Defender definition updates, reducing malware detection coverage over time. Active use of UnDefend alongside BlueHammer and RedSun has been observed in confirmed incidents. Public reporting characterizes UnDefend as causing a denial‑of‑service condition against Defender updates.

RedSun and UnDefend do not currently have assigned CVE identifiers or official CVSS ratings.

Analysis

Collectively, these three flaws affect organizations that rely on Microsoft Defender as a primary endpoint protection control. Once a threat actor achieves local execution, the impact ranges from complete SYSTEM‑level compromise to silent degradation of endpoint detection. Worst‑case outcomes include credential access from the Security Account Manager database, persistence through modified system services, and lateral movement using trusted credentials. While exploitation requires local access and technical expertise, the public availability of exploit code has reduced the barrier to use.

Systems that have applied the April 2026 Microsoft security updates are protected against CVE‑2026‑33825 (BlueHammer). Defender Anti-malware Platform version checks can be used to confirm patch status.

As of April 17, 2026, RedSun and UnDefend remain unpatched. Operational risk can be reduced by monitoring for unusual Microsoft Defender cleanup activity, unexpected privilege escalation, and unauthorized modification of protected system files.

Field Effect is actively tracking the publicly available exploit code associated with this activity. Our threat research and detection teams are closely monitoring ongoing developments, including changes in exploit behavior and any indication of broader threat actor adoption.

Field Effect Managed Detection and Response (MDR) detects this activity using behavioral analytics rather than reliance on exploit signatures alone. New detection analytics have been deployed to identify exploitation attempts. These analytics focus on anomalous Microsoft Defender behavior, unexpected privilege escalation, protected system file modification, and post‑exploitation activity consistent with local escalation to SYSTEM. Because these behaviors are independent of a specific exploit implementation, detection coverage remains effective even as techniques evolve.

Additional analytics are under active development to extend coverage in the event that new exploitation techniques or variants emerge. At this time, suspected exploitation is expected to generate alerts for Field Effect analyst review, providing visibility into potential impact within monitored environments. As these detections continue to be evaluated in production and their performance is validated, Field Effect plans to progress toward automated ARO generation and response actions to further strengthen protection and reduce response time.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up