THREE publicly available proof-of-concept exploits are being used in active attacks against Microsoft's built-in Defender, with two of them unpatched. One exploit, BlueHammer, was used as a zero-day against CVE-2026-33825, a TOCTOU vulnerability in Defender’s signature update workflow, enabling SYSTEM-level access without a kernel exploit.
Microsoft issued an April 2026 security update patch to mitigate BlueHammer, but RedSun and UnDefend remainUnDefend unpatched exploits, according to the reporting and statements from Microsoft. Researchers at Huntress Labs observed hands-on intrusion activity using all three PoCs, with attackers staging binaries in low-noise user directories and renaming variants to evade detection.
The defender-relevant research notes that RedSun and UnDefend attack separate flaws in Defender’s privileged workflows, and that initial access often begins with a compromised SSL VPN account without multifactor authentication. Organisations are advised to apply the April 2026 updates, ensure Antimalware Platform v4.18.26050.3011 is present, and to block execution from user-writable directories while baselining the hash of TieringEngineService[.]exe, according to Vectra[.]ai.