Three Chained Microsoft Defender Zero-Days Exploited in the Wild: BlueHammer, RedSun, and UnDefend Create Layered Attack Path

The Defender Under Attack: A Coordinated Assault on Windows Security

Three Defender zero-days have been exploited since April 10, 2026, enabling privilege escalation and DoS, forcing isolation of affected systems. This represents a critical shift in threat actor tactics: instead of attacking Windows directly, adversaries are weaponizing the operating system's primary defense mechanism itself.

The threat landscape has reached an inflection point. Within a 13-day window in April 2026, multiple zero-day exploits targeting Windows Defender were disclosed. Each exploit serves a distinct purpose in a coordinated chain, creating a comprehensive attack path that turns Microsoft's flagship endpoint protection into a liability.

The Trinity of Exploits: How They Work Together

BlueHammer: Privilege Escalation Through Remediation Logic

The first exploit to be weaponized, BlueHammer (CVE-2026-33825), emerged as a publicly disclosed zero-day on April 7, 2026. On April 7, 2026, a zero-day vulnerability in Microsoft Defender was publicly disclosed alongside a fully functional proof-of-concept exploit known as \"BlueHammer\". The vulnerability carries a CVSS score of 7.8 (High severity).

It stems from a race condition in Windows Defender's file remediation logic, which can be exploited to overwrite arbitrary files on the system. Successful exploitation enables attackers to achieve SYSTEM-level code execution from an unprivileged account.

The attack works through a sophisticated technique: The exploit works by first triggering a Defender detection using a crafted file, then replacing it with a cloud placeholder via the Windows Cloud Files API. As Defender initiates its rollback process, the attacker uses filesystem manipulation techniques, including NTFS junctions and opportunistic locks, to pause execution and redirect the target path to C:\\\\Windows\\\\System32. When Defender resumes the rollback operation, it follows the redirected path and writes the file with SYSTEM-level privileges.

In a series of posts shared on X, Huntress said it observed all three flaws being exploited in the wild, with BlueHammer being weaponized since April 10, 2026, followed by the use of RedSun and UnDefend proof-of-concept (PoC) exploits on April 16.

RedSun: Alternative Escalation Path Through Cloud-Tagged Files

This was followed by \"RedSun\", another privilege escalation technique that abuses Defender's handling of cloud-tagged files to overwrite system paths. RedSun provides attackers with a backup escalation method, ensuring access even if BlueHammer is patched or blocked.

UnDefend: The Protection Degradation Worm

The most insidious of the three, \"UnDefend\" was released, which disrupts Defender's update mechanism and gradually weakens its protection. This exploit transforms endpoint protection into a slow-motion degradation attack, reducing detection capabilities over time without triggering alerts.

The Layered Degradation Strategy

What distinguishes these exploits from isolated vulnerabilities is their coordinated deployment pattern. An attacker uses BlueHammer or RedSun to achieve SYSTEM, then deploys UnDefend to ensure the endpoint protection layer becomes progressively less capable of catching follow-on activity. It is a layered degradation strategy, not a one-shot exploit.

This represents a fundamental shift in attack methodology. Rather than a smash-and-grab approach, threat actors are establishing persistence by systematically disabling the defenses designed to detect their presence. Together, these exploits highlight systemic weaknesses in Defender's architecture. One enables privilege escalation, another degrades protection over time, and a third introduces an alternative escalation path even after patching. The sequence shows how attackers can chain vulnerabilities to bypass defenses and maintain access.

Immediate Patch Status and CISA Mandate

Microsoft moved quickly to address BlueHammer. Microsoft moved to address BlueHammer as part of its Patch Tuesday updates released earlier this week. The vulnerability is being tracked under the CVE identifier CVE-2026-33825. However, the situation remains precarious: The other flaws do not have a fix as of writing.

The U.S. government has escalated response protocols. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on April 22, 2026, added CVE-2026-33825 to its Known Exploited Vulnerabilities (KEV) Catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by May 6, 2026.

The Broader Context: Exploit Windows Collapsing

This discovery arrives amid an accelerating trend. The time you have to fix a vulnerability before it gets attacked is shrinking to zero. We call this the Collapsing Exploit Window, and it means your standard patching routine is officially too slow.

The Microsoft Defender attacks exemplify this problem. The 13-day disclosure window between BlueHammer and its patched variant (CVE-2026-33825) allowed threat actors to achieve full weaponization and deployment in production environments before organizations could respond.

Evidence of Active In-The-Wild Exploitation

\"These invocations followed after typical enumeration commands: whoami /priv, cmdkey /list, net group, and others that indicate hands-on-keyboard threat actor activity,\" it added. This indicates sophisticated threat actors, not script-kiddie automation, conducting the attacks.

The discovery was significant enough to trigger incident response at scale. The cybersecurity vendor said it has taken steps to isolate the affected organization to prevent further post-exploitation.

Remediation Guidance for Defenders

Organizations are strongly advised to apply the April 2026 Patch Tuesday security updates immediately. However, patching BlueHammer alone is insufficient. Organizations must:

• Apply CVE-2026-33825 patches immediately to systems with Defender enabled
• Monitor for signs of UnDefend and RedSun exploitation, which currently lack patches
• Isolate systems showing Defender update failures or protection degradation
• Implement compensating controls such as behavioral detection for the chained attack pattern
• Review Defender logs for evidence of malicious file operations and path redirections since April 10, 2026

What This Means for Enterprise Security

The discovery of three coordinated, unpatched Defender vulnerabilities being actively exploited represents a watershed moment for Windows security. Organizations cannot rely solely on endpoint protection vendors to stay ahead of threats operating at this velocity and sophistication.

The fact that two of three exploits remain unpatched as of April 25, 2026, means systems remain vulnerable to the most damaging post-exploitation techniques. This creates an operational security nightmare: the primary defense against advanced threats is itself the attack surface.

Until Microsoft releases patches for RedSun and UnDefend, organizations must assume active compromise is possible and conduct immediate forensic analysis on any system running unpatched Defender versions since April 10.