[{"data":1,"prerenderedAt":157},["ShallowReactive",2],{"article-slug-microsoft-defender-zero-days-actively-exploited-after-public-leak":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":45,"sources":52,"events":91,"mitre_techniques":100,"tags":113,"extract_datetime":65,"article_type":119,"impact_scope":120,"keywords":129,"pub_date":65,"reading_time_minutes":130,"createdAt":131,"updatedAt":132,"updates":133},"f99f732c-7f63-4c69-b958-b9a8e61d1398","microsoft-defender-zero-days-actively-exploited-after-public-leak","Actively Exploited Microsoft Defender Zero-Days 'RedSun' and 'UnDefend' Remain Unpatched","Three Microsoft Defender Zero-Days—BlueHammer, RedSun, and UnDefend—Actively Exploited in the Wild After Researcher's Public Leak","Threat actors are actively exploiting three zero-day vulnerabilities in Microsoft Defender, collectively known as BlueHammer, RedSun, and UnDefend. The exploits were publicly released by a security researcher in protest of Microsoft's disclosure process. While Microsoft patched BlueHammer (CVE-2026-33825) in its April Patch Tuesday, the RedSun privilege escalation and UnDefend denial-of-service flaws remain unpatched, leaving fully updated Windows 10, 11, and Server systems vulnerable. Security firm Huntress Labs has observed targeted, hands-on-keyboard attacks leveraging these exploits to gain SYSTEM-level privileges.","## Executive Summary\nSecurity researchers have confirmed active, in-the-wild exploitation of three zero-day vulnerabilities affecting **[Microsoft](https://www.microsoft.com/security)** Defender on modern Windows systems. The vulnerabilities, codenamed **BlueHammer**, **RedSun**, and **UnDefend**, were publicly disclosed by a researcher known as \"Chaotic Eclipse\" before official patches were available for all flaws. **BlueHammer** (`CVE-2026-33825`), a local privilege escalation (LPE) flaw, was patched in the April 2026 Patch Tuesday. However, **RedSun**, another critical LPE vulnerability that grants SYSTEM privileges, and **UnDefend**, a denial-of-service (DoS) bug, remain unpatched. Huntress Labs reports observing targeted attacks where threat actors are manually deploying these exploits to elevate privileges on compromised systems, indicating a significant and immediate threat to Windows environments.\n\n## Threat Overview\nThe incident highlights the dangerous intersection of vulnerability research, contentious disclosure practices, and rapid weaponization by threat actors. A researcher, frustrated with the **[Microsoft Security Response Center (MSRC)](https://www.microsoft.com/en-us/msrc)**, publicly released proof-of-concept (PoC) exploits for three distinct vulnerabilities in Microsoft Defender. This action provided threat actors with the tools to immediately target vulnerable systems.\n\n* **BlueHammer (`CVE-2026-33825`):** A Local Privilege Escalation (LPE) vulnerability. An attacker with low-level access can exploit this to gain SYSTEM privileges. This flaw has been **patched**.\n* **RedSun:** A second, more severe LPE vulnerability that also allows an attacker to gain SYSTEM privileges on fully patched Windows 10, Windows 11, and Windows Server 2019+ systems. This flaw remains **unpatched**.\n* **UnDefend:** A Denial-of-Service (DoS) vulnerability that allows a standard user to prevent Microsoft Defender from receiving new security intelligence updates, effectively blinding the antivirus solution. This flaw also remains **unpatched**.\n\nResearchers at Huntress Labs have observed these exploits being used in targeted attacks, not widespread automated campaigns. The attackers exhibit \"hands-on-keyboard\" activity, running reconnaissance commands like `whoami /priv` and `cmdkey /list` after gaining initial access, before deploying the LPE exploits to escalate their privileges. This behavior is typical of sophisticated adversaries conducting targeted intrusions.\n\n## Technical Analysis\nThe exploits abuse core functionalities of Microsoft Defender and its interaction with the operating system.\n\n* **Privilege Escalation ([`T1068`](https://attack.mitre.org/techniques/T1068/)):** Both **BlueHammer** and **RedSun** are classic examples of this technique. They exploit flaws in a highly privileged process (Microsoft Defender's `MsMpEng.exe` service, which runs as `NT AUTHORITY\\SYSTEM`) to execute arbitrary code with elevated permissions. The **RedSun** exploit reportedly abuses how Defender handles file system operations during remediation.\n* **Impair Defenses ([`T1562`](https://attack.mitre.org/techniques/T1562/)):** The **UnDefend** vulnerability is a direct implementation of this tactic. By preventing Defender from updating, attackers can ensure that their subsequent malware payloads will not be detected by the latest signatures, significantly increasing their chances of success.\n* **Exploitation for Privilege Escalation ([`T1068`](https://attack.mitre.org/techniques/T1068/)):** The core of the BlueHammer and RedSun attacks. Attackers with initial low-privilege access (e.g., from a phishing email) can run the exploit to become SYSTEM, gaining full control of the host.\n* **System Services ([`T1569.002`](https://attack.mitre.org/techniques/T1569/002/)):** The exploits target a legitimate and critical Windows service (Microsoft Defender) to carry out their malicious actions.\n\n> The active exploitation of unpatched LPEs in a default security product is a worst-case scenario. It effectively nullifies the 'defense-in-depth' principle, as the defender itself becomes the attack vector.\n\n## Impact Assessment\nThe impact is critical for organizations running Windows environments. An attacker who gains any level of initial access—through phishing, a separate vulnerability, or other means—can now reliably escalate to SYSTEM-level privileges on fully patched machines using the **RedSun** exploit. This level of access allows them to disable other security controls, deploy ransomware, steal sensitive data, and persist within the network. The **UnDefend** vulnerability further compounds the risk by ensuring that the primary endpoint protection is outdated and ineffective against new threats. This forces organizations into a difficult position of needing to apply emergency workarounds or accept a high level of risk until Microsoft releases a patch.\n\n## IOCs\nNo specific file hashes or IP addresses were provided in the source articles.\n\n## Cyber Observables for Detection\nSecurity teams should hunt for post-exploitation activity associated with these LPEs.\n\n| Type | Value | Description | Context |\n| :------------------- | :----------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------- |\n| command_line_pattern | `whoami /priv` | Attackers often run this command immediately after successful privilege escalation to verify their new permissions. | EDR, PowerShell Script Block Logging (Event ID 4104), Process Creation (Event ID 4688) |\n| command_line_pattern | `cmdkey /list` | Used to enumerate cached credentials, a common next step after gaining SYSTEM access. | EDR, Process Creation (Event ID 4688) |\n| file_path | `%windir%\\Temp\\` | Exploits often drop temporary files or scripts in the Windows Temp directory. Monitor for anomalous file creation and execution from this path. | File Integrity Monitoring (FIM), EDR |\n| process_name | `MsMpEng.exe` | Monitor for anomalous behavior, crashes, or unexpected child processes spawned by the Microsoft Defender engine process. | EDR, Sysmon (Event ID 1) |\n| event_id | `4657` | Monitor for modifications to the registry key `HKLM\\SOFTWARE\\Microsoft\\Windows Defender`, which could indicate use of the UnDefend exploit. | Windows Security Event Log |\n\n## Detection & Response\n**Detection Strategies:**\n* **Behavioral Analytics:** Since the exploits target a trusted process, signature-based detection is ineffective. Focus on behavioral detection. An EDR solution should be configured to alert on `MsMpEng.exe` spawning unusual child processes (like `cmd.exe` or `powershell.exe`) or performing unexpected file/registry modifications.\n* **D3FEND: [Process Analysis (D3-PA)](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis):** Specifically, monitor for process lineage anomalies. A command shell (`cmd.exe`) being spawned as a child of `MsMpEng.exe` is highly suspicious and should be a high-priority alert. This is a key indicator of post-exploitation activity following a successful LPE.\n* **Log Aggregation:** Aggregate and correlate logs from multiple sources. A low-privilege user login followed by a series of reconnaissance commands (`whoami`, `net user`, etc.) and then a spike in `MsMpEng.exe` activity could indicate an attack in progress.\n\n**Response Actions:**\n1. If active exploitation is suspected, immediately isolate the affected host from the network to prevent lateral movement.\n2. Preserve the system for forensic analysis to understand the initial access vector and subsequent actions.\n3. For **RedSun** and **UnDefend**, monitor Microsoft's security advisories closely and be prepared to deploy the patch on an emergency basis as soon as it is released.\n\n## Mitigation\n**Immediate Actions (Workarounds):**\n* **Attack Surface Reduction (ASR):** For the unpatched vulnerabilities, organizations must rely on compensating controls. Ensure that standard users do not have administrative rights. Implement strict application control (like AppLocker or WDAC) to prevent the execution of unauthorized executables, including the exploit PoCs.\n* **Enhanced Monitoring:** Increase monitoring on endpoints, focusing on the behavioral indicators listed above. Lower the threshold for alerts related to `MsMpEng.exe` and post-exploitation commands.\n\n**Strategic Controls:**\n* **D3FEND: [Software Update (D3-SU)](https://d3fend.mitre.org/technique/d3f:SoftwareUpdate):** The most critical mitigation is to patch. Ensure **CVE-2026-33825** is patched via the April 2026 update. Maintain a robust and rapid patch management process to deploy the forthcoming fixes for **RedSun** and **UnDefend** as soon as they are available.\n* **D3FEND: [Execution Prevention (M1038)](https://attack.mitre.org/mitigations/M1038/):** A well-configured application control policy that only allows known, trusted executables to run can prevent the initial execution of the exploit code, even if it's dropped on the system.","🚨 ACTIVELY EXPLOITED: Three Microsoft Defender zero-days (BlueHammer, RedSun, UnDefend) are being used in attacks. RedSun & UnDefend remain UNPATCHED, allowing SYSTEM-level access on updated Windows systems. Patch BlueHammer (CVE-2026-33825) now! #ZeroDay #CyberAttack #Microsoft","Threat actors are actively exploiting three Microsoft Defender zero-day vulnerabilities (BlueHammer, RedSun, UnDefend). Two flaws remain unpatched, allowing for privilege escalation and denial of service on Windows systems.",[13,14,15],"Vulnerability","Cyberattack","Threat Actor","critical",[18,21,24,27,30,33,35,37,39,41,43],{"name":19,"type":20},"BlueHammer","malware",{"name":22,"type":23},"Chaotic Eclipse","threat_actor",{"name":25,"type":26},"Huntress Labs","security_organization",{"name":28,"type":29},"Microsoft","vendor",{"name":31,"type":32},"Microsoft Defender","product",{"name":34,"type":26},"Microsoft Security Response Center (MSRC)",{"name":36,"type":20},"RedSun",{"name":38,"type":20},"UnDefend",{"name":40,"type":32},"Windows 10",{"name":42,"type":32},"Windows 11",{"name":44,"type":32},"Windows Server",[46],{"id":47,"cvss_score":48,"cvss_version":49,"kev":50,"severity":51},"CVE-2026-33825",7.8,null,0,"high",[53,58,62,67,71,74,79,82,86],{"url":54,"title":55,"date":56,"website":57},"https://www.bleepingcomputer.com/news/security/recently-leaked-windows-zero-days-now-exploited-in-attacks/","Recently leaked Windows zero-days now exploited in attacks","2026-04-17","bleepingcomputer.com",{"url":59,"title":60,"date":56,"website":61},"https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html","Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched","thehackernews.com",{"url":63,"title":64,"date":65,"website":66},"https://www.vectra.ai/blog/when-the-defender-becomes-the-door-bluehammer-redsun-and-undefend-in-the-wild","When the Defender Becomes the Door: BlueHammer, RedSun, and UnDefend in the Wild","2026-04-18","vectra.ai",{"url":68,"title":69,"date":65,"website":70},"https://research.checkpoint.com/2026/04/20/20th-april-threat-intelligence-report/","20th April – Threat Intelligence Report","research.checkpoint.com",{"url":72,"title":73,"date":65,"website":49},"https://blog.rodolfovaz.com/security-check-in-quick-hits-april-18-2026/","Security Check-in Quick Hits: Fake Ledger Hardware Scams, Microsoft Defender Zero-Day, and Tether's Swift Freeze on Rhea Finance Funds",{"url":75,"title":76,"date":77,"website":78},"https://medium.com/@marcelle.lee/weekly-cyber-threat-bulletin-19-april-2026-6f34e8c1c5c0","Weekly Cyber Threat Bulletin: 19 April 2026","2026-04-19","medium.com",{"url":80,"title":64,"date":81,"website":66},"https://www.vectra.ai/blog/when-the-defender-becomes-the-door-bluehammer-redsun-and-undefend","2026-04-20",{"url":83,"title":84,"date":81,"website":85},"https://www.huntress.com/blog/defender-down-weaponized-exploits-targeting-windows-defender","Defender Down: Huntress Confirms Active Exploitation of BlueHammer, RedSun, and UnDefend","huntress.com",{"url":87,"title":88,"date":89,"website":90},"https://www.zerodayinitiative.com/blog/2026/4/14/the-april-2026-security-update-review","The April 2026 Security Update Review","2026-04-14","zerodayinitiative.com",[92,95,98],{"datetime":93,"summary":94},"2026-04-10T00:00:00Z","Exploitation of the BlueHammer vulnerability is first observed in the wild.",{"datetime":96,"summary":97},"2026-04-16T00:00:00Z","The April 2026 Patch Tuesday is released, patching BlueHammer (CVE-2026-33825).",{"datetime":96,"summary":99},"Exploitation of the unpatched RedSun and UnDefend vulnerabilities begins.",[101,104,107,110],{"id":102,"name":103,"tactic":49},"T1053.005","Scheduled Task",{"id":105,"name":106,"tactic":49},"T1068","Exploitation for Privilege Escalation",{"id":108,"name":109,"tactic":49},"T1562","Impair Defenses",{"id":111,"name":112,"tactic":49},"T1562.001","Disable or Modify Tools",[114,31,115,116,117,118],"LPE","Privilege Escalation","Unpatched","Windows","ZeroDay","NewsArticle",{"geographic_scope":121,"industries_affected":122,"companies_affected":125,"governments_affected":126,"countries_affected":127,"other_affected":128,"people_affected_estimate":49},"global",[123,124],"Technology","Other",[],[],[],[],[114,31,115,116,117,118],6,"2026-04-18T15:00:00.000Z","2026-04-23T12:00:00Z",[134,149],{"datetime":132,"summary":135,"content":136,"severity_change":137,"sources":138},"CISA adds CVE-2026-33825 (BlueHammer) to KEV catalog, mandating patch. Detailed exploit chain for SAM dump revealed, with initial access via FortiGate VPNs.","The CISA has added CVE-2026-33825 (BlueHammer), a critical Microsoft Defender privilege escalation vulnerability, to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by May 6, 2026. This confirms active, in-the-wild exploitation. New technical details reveal the exploit leverages a TOCTOU race condition to dump the SAM database for credential access, with initial access often gained via compromised FortiGate SSL VPNs. One observed attack originated from a Russian IP. The specific patch version is 4.18.26050.3011 or later. While the existing article noted BlueHammer was patched, this update highlights its continued critical threat due to confirmed active exploitation and government mandate.","increased",[139,143,146],{"url":140,"title":141,"website":142,"date":132},"https://www.securityweek.com/recent-microsoft-defender-vulnerability-exploited-as-zero-day/","Recent Microsoft Defender Vulnerability Exploited as Zero-Day","",{"url":144,"title":145,"website":142,"date":132},"https://www.darkreading.com/vulnerabilities-threats/exploits-turn-windows-defender-into-attacker-tool","Exploits Turn Windows Defender Into Attacker Tool",{"url":147,"title":148,"website":142,"date":132},"https://www.cisa.gov/news-events/alerts/2026/04/22/cisa-adds-one-known-exploited-vulnerability-catalog","CISA Adds One Known Exploited Vulnerability to Catalog | CISA",{"datetime":150,"summary":151,"content":152,"severity_change":153,"sources":154},"2026-04-22T12:00:00Z","New details confirm active exploitation of all three Microsoft Defender zero-days, including RedSun and UnDefend, with PoCs observed in the wild by April 16.","New reports from Huntress confirm that all three Microsoft Defender zero-days (BlueHammer, RedSun, UnDefend) are actively exploited in the wild. While BlueHammer's exploitation was noted by April 10, proof-of-concept exploits for RedSun (LPE) and UnDefend (DoS) were observed being used by threat actors as early as April 16, 2026. This reinforces the immediate threat posed by these unpatched vulnerabilities, allowing attackers to escalate privileges and disable Defender updates on Windows systems.","unchanged",[155,156],{"url":59,"title":60,"website":142,"date":150},{"url":87,"title":88,"website":142,"date":150},1776956872911]