Windows systems utilizing Microsoft Defender are currently under siege as cybercriminals exploit a series of recently uncovered vulnerabilities, gaining unauthorized access to sensitive environments. The ongoing attacks have raised alarms within the cybersecurity community, prompting a closer examination of the flaws that are being actively targeted.
Quick Summary – TLDR:
- Three vulnerabilities in Microsoft Defender are being actively exploited by hackers.
- Only one flaw has been patched, while others remain exposed.
- Public release of exploit code has accelerated real-world attacks.
- Affected systems include Windows 10, Windows 11, and Windows Server.
What Happened?
Cybersecurity experts have confirmed that multiple vulnerabilities within Microsoft Defender are being leveraged by attackers to infiltrate systems. The flaws were made public alongside exploit code, significantly lowering the barrier for malicious actors to execute their attacks.
Reports indicate that at least one organization has already fallen victim to these vulnerabilities, intensifying concerns about the potential for widespread exploitation across various Windows environments.
🚨 Three Windows zero-days released by Nightmare-Eclipse are being used in the wild by threat actors. BlueHammer (CVE-2026-33825): LPE, Abuses Windows Defender’s signature-update pipeline and VSS to breach protected registry hives, dump SAM hashes/identities, and escalate… pic.twitter.com/bYb2we2imI— International Cyber Digest (@IntCyberDigest) April 17, 2026
Multiple Defender Flaws Now in Active Use
Researchers have identified three significant vulnerabilities impacting Microsoft Defender: BlueHammer, RedSun, and UnDefend. These flaws were disclosed as zero-day vulnerabilities by a researcher known as Chaotic Eclipse.
- BlueHammer allows local privilege escalation and has now been patched by Microsoft under CVE-2026-33825.
- RedSun is another privilege escalation flaw that remains unpatched.
- UnDefend can disable security updates by triggering a denial of service condition.
According to Huntress, attackers have already begun exploiting all three vulnerabilities in real-world scenarios, with observed activities indicating hands-on keyboard attacks, including system enumeration and credential checks.
How the RedSun Exploit Works?
The RedSun vulnerability reveals a critical flaw in Microsoft Defender’s handling of flagged files. Instead of removing certain malicious files, the antivirus may inadvertently restore them to their original locations under specific conditions.
This behavior can be manipulated by attackers to overwrite essential system files and gain administrative privileges without detection. Once they achieve elevated access, attackers can exert full control over the system, install malware, or navigate laterally through networks.
The researcher who uncovered this flaw criticized the antivirus software’s failure to eliminate threats, emphasizing that it should prioritize the removal of dangers rather than unintentionally preserving them.
Public Disclosure Fuels Faster Attacks
The situation intensified following the public release of proof of concept exploit code. This method, known as full disclosure, can prompt vendors to respond more swiftly but simultaneously provides cybercriminals with immediate access to effective attack tools.
In this instance, the available exploit code has already been weaponized, allowing hackers to target vulnerable systems with ease. John Hammond from Huntress described the scenario as a race between defenders and attackers, noting that the existence of ready-made exploit tools enables threat actors to act rapidly.
Microsoft Response and Patch Status
Microsoft has confirmed that it has addressed the BlueHammer vulnerability, but as of now, RedSun and UnDefend remain unpatched.
The company stated that it adheres to coordinated vulnerability disclosure practices, aiming to resolve security issues before they are made public. However, the current situation underscores the risks that can arise when this process falters.
The vulnerabilities affect systems running Windows 10, Windows 11, and Windows Server, particularly where Microsoft Defender is actively utilized.
Growing Risks for Organizations
With exploit code already circulating and confirmed active attacks, organizations now face heightened risks of compromise.
Key concerns include:
- Privilege escalation leading to full system control.
- Disruption of security updates and protections.
- Rapid spread of attacks due to publicly available tools.
Security experts are urging users and organizations to remain vigilant and consider implementing layered security measures until patches are made available.
SQ Magazine Takeaway
This situation illustrates the delicate balance between cybersecurity researchers and major technology companies. When communication breaks down, the consequences extend beyond mere disagreements, manifesting as real-world risks for millions of users. The existence of operational exploit code is particularly concerning, serving as a stark reminder that reliance on default protections may not suffice in today’s evolving threat landscape.
