Defender Zero-Days Hit Live Attacks - Two Still Unpatched

The three Windows Defender zero-days released by researcher "Chaotic Eclipse" are now being actively exploited in real attacks. Huntress documented hands-on-keyboard threat actor activity using BlueHammer beginning April 10, with RedSun and UnDefend exploitation observed starting April 16.

Microsoft patched BlueHammer as CVE-2026-33825 in the April Patch Tuesday update. RedSun and UnDefend remain unpatched with no CVE assignments. Organizations running Windows systems face active privilege escalation threats with no vendor-provided mitigations for two of the three vulnerabilities.

The Attack Chain

Attackers are using the zero-days in combination rather than individually. The sequence matters operationally:

1. UnDefend first - This denial-of-service exploit blocks Defender definition updates and progressively degrades endpoint protection. Running it early creates a window for subsequent malicious activity to evade detection.

2. BlueHammer or RedSun second - Either privilege escalation exploit grants SYSTEM-level access. BlueHammer exploits a TOCTOU race condition in Defender's remediation engine. RedSun abuses how Defender handles cloud-tagged files. Both achieve the same outcome through different mechanisms.

Picus Security's analysis describes this as "a layered degradation strategy, not a one-shot exploit." The combination matters operationally—disabling defenses before escalating privileges reduces the chance of triggering alerts during the critical moments of attack execution.

Technical Details

BlueHammer (CVE-2026-33825, CVSS 7.8): A time-of-check to time-of-use race condition in Windows Defender's threat remediation engine. The exploit places a file triggering Defender detection, uses a batch opportunistic lock to pause remediation at a critical point, then creates an NTFS junction point redirecting Defender's target path to System32. Defender overwrites a critical system file, granting the attacker SYSTEM privileges.

RedSun (No CVE): Abuses how Defender handles files with cloud attributes. When Defender detects a malicious file with a cloud tag, it rewrites the file to its original location. The exploit races this behavior through volume shadow copy operations and directory junction redirects, achieving the same SYSTEM-level outcome through different internals. We covered the initial RedSun disclosure when Chaotic Eclipse released the proof-of-concept.

UnDefend (No CVE): Triggers a denial-of-service condition that blocks definition updates and causes "progressive degradation" of endpoint protection capability. While not a privilege escalation, it creates conditions where subsequent exploitation goes undetected.

Attribution Context

Chaotic Eclipse released all three exploits publicly between April 3 and April 16 after disputes with Microsoft's Security Response Center. The researcher claimed mistreatment during the disclosure process.

Microsoft responded that they support "coordinated vulnerability disclosure" and remain committed to "customer protection and the security research community." The company patched BlueHammer within two weeks but has not yet addressed the other two vulnerabilities.

Whether Chaotic Eclipse shares additional Defender vulnerabilities remains unknown. Their public statements suggest frustration extends beyond these specific issues.

Impact Assessment

The practical threat is significant for any Windows environment without alternative endpoint protection. Default Windows installations rely on Defender as their primary antimalware solution. Enterprise environments using third-party EDR solutions face less direct risk, though Defender often runs alongside these tools.

Organizations relying solely on Windows Defender should consider temporary mitigations. Disabling specific Defender features could reduce attack surface but creates detection gaps. Network segmentation limits what attackers can do with SYSTEM access but doesn't prevent initial exploitation.

The vulnerability class—race conditions in security software's file handling—suggests additional issues may exist. Defender processes files across multiple contexts with timing-sensitive operations. Each such operation represents potential attack surface.

What to Do Now

For immediate response:

1. Apply April 2026 patches - CVE-2026-33825 (BlueHammer) has a fix. Deploying it eliminates one of the three exploits.

2. Monitor for exploitation indicators - Unusual Defender behavior, definition update failures, or unexpected SYSTEM-level process creation warrant investigation.

3. Consider supplementary protection - Organizations can deploy additional endpoint security tools that don't share Defender's vulnerable code paths.

4. Segment high-value systems - Privilege escalation exploits require initial access. Network architecture that limits lateral movement contains exploitation impact.

Microsoft has not provided timelines for RedSun or UnDefend patches. Organizations should assume these vulnerabilities will remain exploitable for at least another patch cycle.

For broader context on how vulnerability exploitation has evolved, our hacking news coverage tracks ongoing developments as Microsoft and other vendors respond to active threat campaigns.