HomeIntelligenceBrief
🛡️ VULNERABILITY BRIEF🔴 Critical🛡️ Vulnerability

Zero‑Day Exploits Target Microsoft Defender; Two Critical Flaws Remain Unpatched

Researchers have confirmed active exploitation of three Microsoft Defender zero‑days—BlueHammer, RedSun, and UnDefend. Only BlueHammer (CVE‑2026‑33825) is patched; RedSun and UnDefend remain open, exposing any organization that relies on Defender for Endpoint to privilege‑escalation and denial‑of‑service attacks.

🛡️ LiveThreat™ Intelligence · 📅 April 18, 2026· 📰 securityaffairs.com
🔴
Severity
Critical
🛡️
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Zero‑Day Exploits Target Microsoft Defender; Two Critical Flaws Remain Unpatched

What Happened – Researchers observed active exploitation of three newly disclosed Microsoft Defender zero‑days (codenamed BlueHammer, RedSun, and UnDefend). Only the BlueHammer flaw (CVE‑2026‑33825) has been patched; RedSun and UnDefend are still open. Public proof‑of‑concept code released by the researcher “Chaotic Eclipse” is being used in the wild.

Why It Matters for TPRM

  • Endpoint protection is a core security control for most third‑party vendors; a breach in Defender can cascade to downstream partners.
  • Unpatched privilege‑escalation bugs give attackers the ability to bypass detection, increasing the risk of data exfiltration or ransomware on client environments.
  • Real‑world exploitation signals an imminent wave of attacks that could affect any organization relying on Microsoft Defender.

Who Is Affected – Enterprises across all sectors that deploy Microsoft Defender for Endpoint, including SaaS providers, MSPs, and internal IT teams.

Recommended Actions

  • Verify that your Microsoft Defender agents are fully updated; confirm patch for BlueHammer is applied.
  • Apply compensating controls (application whitelisting, strict least‑privilege policies, network segmentation) until RedSun and UnDefend are patched.
  • Increase monitoring for anomalous process execution and Defender alert bypass attempts.
  • Engage with Microsoft support to obtain timelines for the remaining patches and request temporary mitigations.

Technical Notes

  • Attack vector: Local privilege escalation via vulnerability exploitation.
  • CVEs: BlueHammer – CVE‑2026‑33825 (patched); RedSun – CVE‑2026‑33826 (unpatched); UnDefend – CVE‑2026‑33827 (unpatched).
  • Impact: Elevated system privileges, denial‑of‑service of definition updates, potential for full system compromise.
  • Evidence: Huntress SOC logs show exploitation attempts from April 10 – April 16 2026, including execution of RedSun.exe triggering Defender alerts.

Source: SecurityAffairs – Microsoft Defender under attack as three zero‑days, two still unpatched

📰 Original Source
https://securityaffairs.com/190961/hacking/microsoft-defender-under-attack-as-three-zero-days-two-of-them-still-unpatched-enable-elevated-access.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →