Full Report
Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse (
Analysis Summary
# Vulnerability: Microsoft Defender Privilege Escalation and DoS Zero-Days
## CVE Details
- **CVE ID:** CVE-2026-33825 (BlueHammer). Note: RedSun and UnDefend currently lack assigned CVE identifiers.
- **CVSS Score:** Not explicitly listed (BlueHammer was patched in a Monthly Update; typical LPE scores range from 7.0–7.8 High).
- **CWE:** Not specified (Technically relates to Privilege Escalation and Denial of Service).
## Affected Systems
- **Products:** Microsoft Defender
- **Versions:** All versions prior to the April 2026 security updates.
- **Configurations:** Windows systems running Microsoft Defender; exploitation generally requires an initial foothold for Local Privilege Escalation (LPE).
## Vulnerability Description
Three distinct flaws discovered by the researcher "Chaotic Eclipse" (aka Nightmare-Eclipse) impact the security posture of Microsoft Defender:
1. **BlueHammer (CVE-2026-33825):** A local privilege escalation (LPE) flaw that allows an attacker with low-level access to gain elevated system privileges.
2. **RedSun:** A second LPE vulnerability that bypasses existing security controls to elevate permissions.
3. **UnDefend:** A denial-of-service (DoS) flaw capable of blocking Defender's definition updates, effectively "freezing" the antivirus in an outdated state and preventing the detection of new threats.
## Exploitation
- **Status:** Exploited in the wild. Huntress reported active weaponization of BlueHammer as of April 10, 2026, and PoC use for RedSun/UnDefend starting April 16, 2026.
- **Complexity:** Low (Proof-of-Concept code is publicly available on GitHub).
- **Attack Vector:** Local (Requires internal access to the system to execute privilege escalation).
## Impact
- **Confidentiality:** High (Gain system-level access to sensitive data).
- **Integrity:** High (Ability to modify system files and security configurations).
- **Availability:** High (UnDefend can disable security update mechanisms).
## Remediation
### Patches
- **BlueHammer:** Patched in the Microsoft April 2026 "Patch Tuesday" update cycle. Users should ensure they are running the latest version of Microsoft Defender and Windows security updates.
- **RedSun / UnDefend:** No official patches available as of April 17, 2026.
### Workarounds
- Implement strict "Least Privilege" policies to prevent initial access.
- Monitor for unauthorized attempts to disable or interfere with the Windows Update service or Defender services.
## Detection
- **Indicators of Compromise:** Execution of typical discovery/enumeration commands such as `whoami /priv`, `cmdkey /list`, and `net group` followed by suspicious Defender service interactions.
- **Detection methods and tools:** Monitor for unusual activity originating from the Microsoft Defender process or attempts to block outbound connections to Microsoft Update servers via firewall logs.
## References
- **Vendor Advisories (Defanged):** hxxps[://]msrc[.]microsoft[.]com/update-guide (Reference for CVE-2026-33825)
- **Relevant Links (Defanged):**
- hxxps[://]github[.]com/Nightmare-Eclipse/BlueHammer
- hxxps[://]github[.]com/Nightmare-Eclipse/RedSun
- hxxps[://]github[.]com/Nightmare-Eclipse/UnDefend
- hxxps[://]x[.]com/HuntressLabs/status/2044882050314817880