Three Windows Defender vulnerabilities are being actively exploited in the wild after a disgruntled researcher publicly released working proof-of-concept exploits. Two of the three remain unpatched.
What Happened
A researcher using the alias Chaotic Eclipse disclosed three zero-day vulnerabilities in Windows Defender between April 7 and April 16, 2026, after a dispute with Microsoft over its vulnerability disclosure process. The three flaws are:
BlueHammer (CVE-2026-33825) — A local privilege escalation flaw that abuses Windows Defender’s real-time protection engine. When Defender scans a file, the exploit uses a batch opportunistic lock to pause Defender’s file operation mid-execution, inserts an NTFS junction point redirecting the write target to a privileged directory such as C:\Windows\System32, then lets Defender overwrite a legitimate system binary with attacker-controlled code. The result is SYSTEM-level code execution. Microsoft patched BlueHammer in April’s Patch Tuesday (CVE-2026-33825).
RedSun — A second local privilege escalation flaw that abuses Defender’s cloud file rollback mechanism. When Defender attempts to restore a cloud-tagged file, it fails to validate the write destination, allowing an attacker to redirect the operation to a privileged directory. RedSun remains unpatched.
UnDefend — A denial-of-service flaw capable of blocking Defender definition updates. UnDefend also remains unpatched.
Huntress Labs confirmed on April 17 that all three exploits are being used in active attacks. BlueHammer has been in the wild since April 10. RedSun and UnDefend appeared in exploitation activity beginning April 16. The exploits work on fully patched Windows 10, Windows 11, and Windows Server 2019 and later — meaning installing April’s Patch Tuesday does not protect against RedSun or UnDefend. Source: BleepingComputer
Why This Matters for Canadian Organizations
Windows is the dominant operating system across Canadian enterprise, government, healthcare, and critical infrastructure. Any local privilege escalation flaw that works on fully patched systems is a high-priority threat for Canadian security teams. Attackers who have already gained a foothold through phishing, a compromised account, or a web application exploit use exactly these kinds of post-exploitation tools to elevate to SYSTEM and move laterally through a network.
RedSun and UnDefend are especially concerning because no patch exists. Microsoft has not announced a timeline for fixes. Organizations relying on Defender as their primary endpoint protection need to treat this as an active threat. The Canadian Centre for Cyber Security (CCCS) and the Communications Security Establishment (CSE) classify privilege escalation exploits against Windows as high-priority threats given the concentration of Windows infrastructure across federal departments and provincial government networks.
The UnDefend flaw adds a second layer of risk: an attacker who disables Defender definition updates leaves an endpoint unable to detect new malware variants, creating a blind spot that persists until a human administrator notices the definition staleness.
What to Do
Apply Microsoft’s April 2026 Patch Tuesday updates immediately to address BlueHammer (CVE-2026-33825). For RedSun and UnDefend, Microsoft has not yet released patches. In the interim, security teams should prioritize reducing attacker dwell time by tightening monitoring for privilege escalation events, enforcing least-privilege access, and ensuring endpoint detection and response (EDR) tooling is not solely dependent on Defender definitions. Watch for Microsoft out-of-band patches as the two unpatched flaws are now publicly weaponized with working exploits in the wild.
