Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

By The Hacker News
Publication Date: 2026-04-17 13:21:00

Ravie LakshmananApr 17, 2026Vulnerability / Endpoint Security

Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems.

The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) in response to Microsoft’s handling of the vulnerability disclosure process.

While both BlueHammer and RedSun are local privilege escalation (LPE) flaws impacting Microsoft Defender, UnDefend can be used to trigger a denial-of-service (DoS) condition and effectively block definition updates.

Cybersecurity

Microsoft moved to address BlueHammer as part of its Patch Tuesday updates released earlier this week. The vulnerability is being tracked under the CVE identifier CVE-2026-33825. However, the other flaws do not have…