Within a single 13-day window in April 2026, a security researcher publicly disclosed three separate zero-day exploits targeting Microsoft Windows Defender — the built-in antivirus and endpoint protection tool present on every modern Windows installation. Named BlueHammer, RedSun, and UnDefend, the trio of vulnerabilities collectively undermines one of the most fundamental layers of Windows security. Security firm Huntress confirmed on April 17 that all three exploits have been observed in live attacks in the wild, with only one patched so far.
BlueHammer (CVE-2026-33825): The First Domino Falls
On April 7, 2026, the researcher publicly disclosed CVE-2026-33825, a local privilege escalation (LPE) vulnerability rooted in a time-of-check to time-of-use (TOCTOU) race condition within Windows Defender’s threat remediation engine. The associated proof-of-concept exploit — dubbed “BlueHammer” — was released before any official fix was available, making it a true zero-day at the time of disclosure.
The flaw stems from Defender performing privileged file operations during malware cleanup without adequately validating the file path at the moment of the write operation. An unprivileged local attacker can exploit this window to redirect a file operation toward a sensitive system path, ultimately achieving SYSTEM-level code execution on fully patched Windows 10 and Windows 11 systems. The vulnerability carries a CVSS score of 7.8 (High).
Microsoft addressed CVE-2026-33825 in its April 2026 Patch Tuesday update, released April 14. However, by that date the exploit had already been circulating for a week.
RedSun: Cloud Rollback Mechanism Turned Weapon
As if one Defender zero-day were not enough, the same researcher released RedSun days later. This technique abuses Microsoft Defender’s cloud file rollback mechanism — a feature designed to restore files Defender incorrectly quarantined — to overwrite arbitrary system paths with attacker-controlled content.
RedSun achieves SYSTEM-level code execution on Windows 10, Windows 11, and Windows Server 2019 and later systems where Defender is active, with reported near-100% reliability. Unlike BlueHammer, RedSun has not yet received a patch as of April 18, 2026, leaving hundreds of millions of devices exposed. Microsoft has acknowledged the report and indicated a fix is in progress.
UnDefend: Silently Blinding Defender
The third exploit, UnDefend, takes a different approach. Rather than escalating privileges, it focuses on disabling Defender’s defenses from within. The technique silently blocks Defender’s signature update pipeline while causing the endpoint to report as healthy to management consoles — effectively freezing Defender’s threat intelligence without triggering any alerts.
UnDefend is particularly dangerous in enterprise environments where security operations teams rely on Defender’s telemetry and health dashboards. An attacker who deploys UnDefend can ensure that subsequent malware delivery — even well-known, signature-detectable malware — proceeds undetected. Like RedSun, UnDefend also remains unpatched.
Active Exploitation Confirmed
Threat intelligence firm Huntress confirmed on April 17 that all three exploits have been weaponized in live attacks. In one documented intrusion chain, a threat actor used compromised SSLVPN credentials to gain initial access to a corporate network, then immediately deployed UnDefend and RedSun on a targeted Windows device. With Defender blinded and SYSTEM privileges secured, the attacker proceeded to credential discovery and lateral movement across the network.
This attack sequence underscores a troubling trend: Defender zero-days are not merely theoretical — they are actively combined in sophisticated, multi-stage attacks to maximize persistence and evade detection.
The Researcher’s Disclosure Controversy
The researcher behind all three disclosures cited frustration with Microsoft’s Security Response Center (MSRC) as the reason for releasing the exploits publicly without waiting for coordinated patches. In a public post, the researcher alleged that MSRC had acknowledged the reports but failed to communicate timelines or commit to fixes within a reasonable window, prompting the decision to go public.
The episode has reignited debate within the security community about responsible disclosure practices and whether Microsoft’s bug bounty and vulnerability handling processes are adequate for high-severity, actively exploitable flaws.
What Organizations Should Do Now
- Apply the April 2026 Patch Tuesday update immediately to patch CVE-2026-33825 (BlueHammer).
- Monitor for RedSun and UnDefend indicators of compromise — check threat intelligence feeds from Huntress, Microsoft, and CrowdStrike for updated IoCs.
- Implement network segmentation and privileged access management to limit lateral movement even if a local privilege escalation occurs.
- Do not rely solely on Defender for endpoint protection — layer additional EDR or XDR solutions to compensate for Defender’s current blind spots.
- Audit SSLVPN credential exposure and enforce multi-factor authentication (MFA) on all remote access points, as attackers are using stolen VPN credentials as the entry point before deploying Defender exploits.
The security community is watching closely for additional disclosures and awaiting Microsoft’s patches for RedSun and UnDefend. Until then, the two remaining zero-days represent a significant and unmitigated risk for every Windows user and enterprise worldwide.