Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
These articles are AI-generated summaries. Please check the original sources for full details.
Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
Threat actors are exploiting three security flaws in Microsoft Defender to gain elevated privileges in compromised systems. Huntress observed these flaws being weaponized in the wild starting April 10, 2026, following their public release by a researcher known as Chaotic Eclipse.
Why This Matters
The incident highlights the gap between coordinated vulnerability disclosure and the immediate threat posed by public proof-of-concepts released during disclosure disputes. While Microsoft patched BlueHammer (CVE-2026-33825), the persistence of unpatched local privilege escalation and denial-of-service flaws like RedSun and UnDefend forces defensive teams into reactive isolation of systems to prevent further post-exploitation activity, as automated security definitions can be effectively blocked by the exploits themselves.
Key Insights
- BlueHammer (CVE-2026-33825) exploitation was observed by Huntress starting April 10, 2026.
- RedSun and UnDefend PoC exploits were weaponized on April 16, 2026, following typical enumeration commands.
- UnDefend triggers a denial-of-service (DoS) condition that effectively blocks Microsoft Defender definition updates.
- The vulnerabilities were released as zero-days by researcher Chaotic Eclipse (Nightmare-Eclipse) due to disputes over the disclosure process.
- Microsoft addressed BlueHammer in its April 2026 Patch Tuesday updates, but RedSun and UnDefend remain unpatched.
Practical Applications
- Huntress isolated an affected organization to prevent further post-exploitation after detecting BlueHammer weaponization. Pitfall: Relying solely on automated patch management for critical security software when zero-day PoCs are publicly available.
- Monitoring for enumeration commands like ‘whoami /priv’ and ‘net group’ can identify hands-on-keyboard activity preceding zero-day exploitation. Pitfall: Ignoring standard system commands that often signal an attacker’s initial discovery phase.
References:
Continue reading
Next article
19 Critical AI Red Teaming Tools for Securing Generative Models in 2026
Related Content
cPanel and WHM Patch Critical Vulnerabilities to Prevent RCE and Privilege Escalation
cPanel and WHM released patches for three vulnerabilities, including two CVSS 8.8 flaws, to prevent arbitrary code execution and privilege escalation.
Microsoft Patches 56 Flaws, Including Actively Exploited Privilege Escalation Bug
Microsoft addressed 56 Windows security vulnerabilities in December 2025, including an actively exploited privilege escalation flaw (CVE-2025-62221) with a CVSS score of 7.8.
SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances
SonicWall addressed CVE-2025-40602, an actively exploited vulnerability enabling privilege escalation and potential root access on SMA 100 appliances.