HomeIntelligenceBrief
🛡️ VULNERABILITY BRIEF🟠 High🛡️ Vulnerability

Zero‑Day Windows Privilege‑Escalation Flaws (BlueHammer, RedSun, UnDefend) Actively Exploited in the Wild

Three newly disclosed Windows vulnerabilities—BlueHammer, RedSun and UnDefend—have been weaponized by threat actors. BlueHammer is patched, but RedSun and UnDefend remain unaddressed, giving attackers SYSTEM‑level access on any Defender‑enabled Windows 10/11 or Server 2019+ system. Organizations must act now to mitigate exposure.

🛡️ LiveThreat™ Intelligence · 📅 April 17, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
🛡️
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Zero‑Day Windows Privilege‑Escalation Flaws (BlueHammer, RedSun, UnDefend) Actively Exploited in the Wild

What Happened – Three Windows vulnerabilities—BlueHammer (CVE‑2026‑33825), RedSun and UnDefend—were publicly leaked and proof‑of‑concept exploits were released by the researcher “Chaotic Eclipse.” Huntress Labs observed all three exploits being used in active attacks, with BlueHammer seen in the wild since April 10, 2026.

Why It Matters for TPRM

  • The flaws grant attackers SYSTEM or elevated admin rights on any Windows 10/11 or Server 2019+ machine, bypassing Microsoft Defender.
  • Exploits are already in the wild, meaning third‑party vendors and their customers are at immediate risk.
  • Two of the three CVEs remain unpatched, extending the window of exposure for organizations that have not applied the April 2026 updates.

Who Is Affected – Enterprises across all sectors that run Windows desktops, laptops, or servers with Microsoft Defender enabled; especially MSPs, SaaS providers, and any supply‑chain partners that host or manage Windows workloads.

Recommended Actions

  • Verify that the April 2026 Patch Tuesday updates (including CVE‑2026‑33825) have been applied to all Windows endpoints.
  • For RedSun and UnDefend, implement temporary mitigations: disable cloud‑based file‑reputation tagging in Defender, enforce application whitelisting, and monitor for abnormal file‑rewrite activity.
  • Conduct an urgent threat‑hunt for indicators of compromise (IoCs) associated with the published exploit code.
  • Review third‑party contracts for clauses requiring timely patching of critical OS vulnerabilities.

Technical Notes

  • Attack vector: Vulnerability exploitation (local privilege escalation).
  • BlueHammer: LPE in Microsoft Defender, patched (CVE‑2026‑33825).
  • RedSun: LPE that rewrites system files via Defender’s cloud‑tag handling, still unpatched.
  • UnDefend: Allows a standard user to block Defender definition updates, still unpatched.
  • Exploits were delivered after a compromised SSL‑VPN credential was used to gain initial foothold.

Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/recently-leaked-windows-zero-days-now-exploited-in-attacks/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →