Security researchers have uncovered a trio of critical zero-day vulnerabilities in Windows Defender — Microsoft’s built-in antivirus solution — that have been actively exploited in the wild. Dubbed BlueHammer, RedSun, and UnDefend, these flaws collectively allow unprivileged attackers to escalate their privileges to SYSTEM-level access on any affected Windows machine. While Microsoft patched one of them in the April 2026 Patch Tuesday cycle, two remain unaddressed as of publication.
What Are BlueHammer, RedSun, and UnDefend?
All three vulnerabilities stem from flaws in Windows Defender’s threat remediation logic — the component responsible for cleaning up malicious files detected on a system. The first and most publicized, CVE-2026-33825 (BlueHammer), was disclosed on April 7, 2026, alongside a fully functional proof-of-concept exploit. It was assigned a CVSS score of 7.8 (High).
CVE-2026-33825 exploits a Time-of-Check to Time-of-Use (TOCTOU) race condition in Defender’s file remediation engine. When Defender detects malicious content and initiates a cleanup, the exploit uses a batch opportunistic lock (oplock) to pause Defender’s operation at a critical moment. During this window, the attacker redirects Defender’s write operation — intended for a temporary directory — to C:WindowsSystem32, a highly privileged location.
The result: arbitrary file writes with SYSTEM privileges, effectively granting full control over the operating system from any standard user account. RedSun and UnDefend, disclosed in the days following, employ similar mechanics but target slightly different code paths within the same remediation subsystem.
Active Exploitation Timeline
According to multiple threat intelligence reports, the exploitation timeline unfolded rapidly:
- April 7: BlueHammer (CVE-2026-33825) publicly disclosed with working PoC exploit code.
- April 10: First confirmed in-the-wild exploitation of BlueHammer detected.
- April 14 (Patch Tuesday): Microsoft patches CVE-2026-33825 as part of its monthly update cycle, addressing 167 total CVEs.
- April 16: RedSun and UnDefend PoC exploits observed being weaponized in real attacks.
- April 22: RedSun and UnDefend remain unpatched; no CVE numbers officially assigned yet.
Why Is This So Dangerous?
The severity of this vulnerability class goes beyond the raw CVSS score. Windows Defender is enabled by default on all modern Windows installations — from home computers to enterprise endpoints. Unlike many privilege escalation vulnerabilities that require specific configurations or pre-existing footholds, these flaws can be triggered by any local user, including low-privilege accounts created during initial access.
Furthermore, the irony is stark: the very security tool designed to protect users is being weaponized against them. Threat actors can abuse Defender’s own detection logic as a stepping stone to full system compromise.
Security researcher and discoverer of all three flaws noted: the root cause is a systemic design issue in how Defender handles privileged file operations during cleanup — a pattern that has apparently existed for years without scrutiny.
Who Is Being Targeted?
While initial exploitation appears opportunistic, intelligence from SOCRadar and the Cloud Security Alliance indicates that targeted attacks against corporate environments have been observed. Attackers are using BlueHammer as a post-exploitation tool after gaining initial access through phishing or supply chain compromises, rapidly escalating to SYSTEM and deploying ransomware or credential-harvesting implants.
Recommended Mitigations
Organizations should immediately take the following steps:
- Apply the April 2026 Patch Tuesday updates to address CVE-2026-33825. Microsoft’s out-of-band fixes for Windows Server should also be applied.
- Monitor for BlueHammer indicators: Watch for unusual oplock usage patterns, unexpected NTFS junction point creation in temporary directories, and Defender remediation events followed by privilege changes.
- Apply least-privilege principles: Limit user accounts to the minimum required permissions; while this does not prevent the exploit, it reduces the attacker’s ability to establish initial access.
- Await patches for RedSun and UnDefend: Microsoft has acknowledged both vulnerabilities and is working on fixes. Organizations should monitor Microsoft Security Response Center (MSRC) advisories closely.
Broader Implications
This triple zero-day incident underscores a growing concern in the security community: security software itself is increasingly a target for exploit research. The deeper Defender integrates into the OS — with Kernel-level access in recent Windows versions — the more catastrophic a successful exploit becomes. Organizations relying solely on Defender for endpoint protection should consider layered defense strategies, including EDR solutions capable of detecting anomalous Defender behavior itself.
Microsoft has urged all Windows users to ensure automatic updates are enabled and to apply available patches without delay. Further guidance is expected from CISA, which is likely to add CVE-2026-33825 to its Known Exploited Vulnerabilities catalog in the coming days.