ATTACKERS are exploiting three recently disclosed Microsoft Defender zero-days, code-named BlueHammer, RedSun, and UnDefend, to gain elevated privileges on compromised systems, with BlueHammer locally escalating privileges and UnDefend triggering a denial-of-service that blocks security definition updates. The vulnerabilities were revealed by a researcher known as Chaotic Eclipse, who also published proof-of-concept code for the unpatched Windows bug.
At present, BlueHammer has been fixed and is tracked as CVE-2026-33825, while RedSun and UnDefend remain unpatched. Huntress researchers reported real-world exploitation of all three flaws, with BlueHammer first used on 10 April 2026, followed by RedSun and UnDefend PoC exploits on 16 April 2026, according to Huntress. When exploit code becomes publicly available, threat actors can weaponise it rapidly in attacks in the wild. According to Huntress, the victims and attackers remain unknown.