THREATNOIR
Subscribe
Back to Feed
Zero-dayApr 17, 2026

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

Three Microsoft Defender zero-days actively exploited in wild; two remain unpatched.

Read at source

Summary

Huntress reports threat actors are actively exploiting three recently disclosed zero-day vulnerabilities in Microsoft Defender to gain elevated privileges. Two of the flaws—RedSun and UnDefend—remain unpatched, while BlueHammer was addressed in Microsoft's latest Patch Tuesday update (CVE-2026-33825). The flaws enable local privilege escalation and denial-of-service attacks, with exploitation observed since April 10, 2026.

Full text

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Ravie LakshmananApr 17, 2026Vulnerability / Endpoint Security Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) in response to Microsoft's handling of the vulnerability disclosure process. While both BlueHammer and RedSun are local privilege escalation (LPE) flaws impacting Microsoft Defender, UnDefend can be used to trigger a denial-of-service (DoS) condition and effectively block definition updates. Microsoft moved to address BlueHammer as part of its Patch Tuesday updates released earlier this week. The vulnerability is being tracked under the CVE identifier CVE-2026-33825. However, the other flaws do not have a fix as of writing. In a series of posts shared on X, Huntress said it observed all three flaws being exploited in the wild, with BlueHammer being weaponized since April 10, 2026, followed by the use of RedSun and UnDefend proof-of-concept (PoC) exploits on April 16. "These invocations followed after typical enumeration commands: whoami /priv, cmdkey /list, net group, and others that indicate hands-on-keyboard threat actor activity," it added. The cybersecurity vendor said it has taken steps to isolate the affected organization to prevent further post-exploitation. The Hacker News has reached out to Microsoft for comment, and we will update the story if we hear back. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, denial of service, endpoint security, Microsoft Defender, patch Tuesday, privilege escalation, Vulnerability, zero day Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks

Indicators of Compromise

  • cve — CVE-2026-33825
  • malware — BlueHammer
  • malware — RedSun
  • malware — UnDefend

Entities

Microsoft Defender (product)Microsoft (vendor)Chaotic Eclipse (aka Nightmare-Eclipse) (threat_actor)Huntress (vendor)