On April 21, 2026, Microsoft confirmed that one of three critical zero-day vulnerabilities affecting Windows Defender had been patched, while two others remained unpatched and actively exploited in the wild. The flaw identified as BlueHammer (CVE-2026-33825) was addressed in Microsoft’s April Patch Tuesday updates, but the RedSun and UnDefend vulnerabilities continue to exit Windows systems exposed to privilege escalation and denial-of-service attacks.
The vulnerabilities were disclosed by a security researcher using the alias Chaotic Eclipse, who released exploit code for all three flaws over a 13-day period beginning April 3, 2026. According to cybersecurity firm Huntress, all three zero-days were confirmed to be under active exploitation by April 17, 2026, with attackers combining BlueHammer and RedSun to disable Defender’s update mechanism and escalate to SYSTEM privileges, granting full control of compromised Windows machines.
BlueHammer, which exploits a race condition in Defender’s threat remediation engine, was patched on April 14, 2026, after 11 days of exposure. The vulnerability allows attackers to leverage NTFS junction points to redirect Defender’s file operations to sensitive system directories like C:\Windows\System32, where malicious payloads are written with SYSTEM privileges during what appears to be a routine threat cleanup process. Microsoft assigned it a CVSS score of 7.8, reflecting its high severity.
In contrast, RedSun and UnDefend had no patches, no assigned CVE identifiers, and no public timeline for resolution as of April 21, 2026. RedSun functions as a local privilege escalation flaw similar to BlueHammer, while UnDefend can trigger a denial-of-service condition that blocks definition updates, effectively blinding the antivirus software. Both were weaponized starting April 16, 2026, following the initial BlueHammer exploit activity observed since April 10.
Microsoft’s Security Response Center reportedly dismissed the researcher’s initial disclosure attempt over a dispute regarding a video demonstration, prompting Chaotic Eclipse to publish the exploits publicly without coordinated disclosure. The researcher stated in posts accompanying the GitHub releases that the action was intended to force Microsoft to address the flaws after traditional reporting channels failed.
Huntress observed the exploitation chain in real-world attacks, noting that threat actors typically began with enumeration commands such as whoami /priv, cmdkey /list, and net group before deploying the zero-days. The firm confirmed it had isolated affected organizations to prevent further post-exploitation activity and urged Windows users to monitor for unusual system behavior.
Microsoft affirmed that the BlueHammer patch was delivered via CVE-2026-33825 and reiterated its commitment to investigating reported security issues. However, the company did not provide a specific date for when patches for RedSun and UnDefend might be released, noting only that the next Patch Tuesday was scheduled for May 13, 2026—nearly four weeks away.
The incident highlights ongoing tensions between security researchers and vendors over vulnerability disclosure processes, particularly when internal reporting mechanisms are perceived as unresponsive. For Windows users, the situation underscores the importance of maintaining layered defenses, as even trusted security software like Microsoft Defender can become a vector for attack when unpatched flaws exist in its core components.
Users are advised to ensure their systems are updated to the latest available security patches and to remain vigilant for signs of compromise, such as unexpected privilege changes or blocked security updates. Official guidance from Microsoft on defending against active exploits can be found through its Security Response Center portal.
Stay informed about developments in this story by following trusted cybersecurity advisories and official vendor channels. Share your thoughts on how companies should handle vulnerability disclosures in the comments below.