Microsoft Defender Zero-Day Exploits -BlueHammer & RedSun (April 2026)

Patch immediately, no workaround substitutes for the fix.

Observation Summary

Security researchers and threat monitoring teams have identified three zero‑day vulnerabilities affecting Microsoft Defender – BlueHammer, RedSun, and UnDefend that were publicly disclosed and subsequently observed being exploited in the wild during April 2026.

These vulnerabilities allow attackers to escalate privileges and weaken endpoint protection by abusing Defender’s internal remediation and update mechanisms.

Disclosure Timeline

Apr 3–7, 2026 Proof‑of‑concept (PoC) exploit code for the Microsoft Defender local privilege escalation vulnerability, later named BlueHammer, was publicly released.

Apr 10, 2026 Security vendors observed active in‑the‑wild exploitation of BlueHammer, involving interactive, hands‑on‑keyboard attacker activity during real intrusions.

Apr 14, 2026 Microsoft released a security update patching BlueHammer and assigned CVE‑2026‑33825 as part of the regular April Patch Tuesday updates.

Apr 16, 2026 Two additional Microsoft Defender zero‑day exploits. RedSun (local privilege escalation) and UnDefend (Defender update disruption) were released, with live exploitation of all three techniques confirmed the same day, indicating potential chaining.

As of late April 2026, the RedSun and UnDefend vulnerabilities remain unpatched, leaving even fully updated systems exposed to continued exploitation until Microsoft releases remediation.

Summary of The Three Zero-Days

The vulnerabilities exploit trusted Microsoft Defender processes running with SYSTEM privileges, effectively turning the endpoint protection mechanism itself into an attack vector.

• BlueHammer and RedSun both achieve local privilege escalation (LPE), through different Defender code paths, increasing attacker resiliency when one technique is patched or blocked.
• RedSun remains effective even on fully patched systems, highlighting a continued exposure window despite regular Patch Tuesday updates.
• UnDefend does not rely on privilege escalation but instead targets Defender’s update pipeline, allowing attackers to silently degrade security defenses over time.
• Attack chains observed in the wild indicate manual attacker interaction, including staged execution, privilege enumeration, and follow‑up actions consistent with post‑exploitation workflows.
• Exploit binaries have been observed originating from user‑writable directories (e.g., Downloads, Pictures), reducing the need for initial elevated permissions.
• The close release timing and functional overlap of these vulnerabilities suggest they may be used sequentially, enabling attackers to escalate privileges first and then suppress detection mechanisms.
• Defender alerting may still appear nominal in some cases, particularly with UnDefend, creating a false sense of protection while signatures and engines remain outdated.

BlueHammer (CVE‑2026‑33825)

• A local privilege escalation (LPE) vulnerability.
• Abuses a race condition in Microsoft Defender’s remediation logic.
• Allows a low‑privileged user to leverage Defender (running as SYSTEM) to overwrite protected system files.
• Result: Escalation from standard user to SYSTEM.
• Patch Status:  Patched by Microsoft in April 2026.

RedSun

• A separate local privilege escalation (LPE) vulnerability.
• Abuses Defender’s cloud‑file rewrite behavior when handling cloud‑tagged malicious files.
• During remediation, Defender may incorrectly rewrite a malicious file back to disk.
• Attackers redirect this rewrite into protected system paths, forcing Defender to restore attacker‑controlled code as SYSTEM.
• Result: Escalation from standard user to SYSTEM.
• Patch Status:  Unpatched at the time of reporting.

UnDefend

• A Defender degradation / denial‑of‑service vulnerability.
• Allows a low‑privileged user to block or disrupt Defender signature and engine updates.
• Defender may appear enabled but becomes outdated and ineffective.
• Does not provide privilege escalation, but enables stealthy persistence post‑compromise.
• Patch Status: Unpatched at the time of reporting.

Risk / Why It Matters

• Privilege Escalation: BlueHammer and RedSun enable full SYSTEM‑level compromise from a standard user account.
• Security Control Evasion: UnDefend weakens Defender, allowing malware to persist undetected.
• Chained Impact: Combined use allows attackers to first gain SYSTEM access and then degrade endpoint protection.
• Operational Risk: Fully patched systems remain exposed due to unpatched vulnerabilities (RedSun and UnDefend).
• Business Impact: Increased risk of persistence, lateral movement, credential theft, and ransomware deployment.

How to Fix & Mitigate Microsoft Defender Zero-Day Vulnerabilities

• Ensure April 2026 Microsoft Defender updates are applied to mitigate BlueHammer.
• Monitor endpoints for:
  • Defender‑initiated SYSTEM‑level process execution.
  • Defender update failures or stalled signature updates.
• Restrict execution from user‑writable directories (Downloads, Pictures, Temp).
• Enable and enforce Attack Surface Reduction (ASR) rules where possible.
• Increase alerting for Defender tampering or abnormal remediation behavior.
• Remain alert for future out‑of‑band patches addressing RedSun and UnDefend.

FAQs

Q1) What is being reported?
Three publicly disclosed and in-the-wild exploited Microsoft Defender zero-day vulnerabilities—BlueHammer, RedSun, and UnDefend—are being used to escalate privileges and/or degrade endpoint protection by abusing Defender remediation and update mechanisms.

Q2) Why do these vulnerabilities matter?
Two issues (BlueHammer and RedSun) can lead to SYSTEM-level privilege escalation from a standard user context, and one issue (UnDefend) can silently reduce Defender effectiveness by blocking/disrupting updates—together enabling compromise plus defense evasion.

Q3) Which systems are likely to be affected?
Endpoints running Microsoft Defender on Windows are the primary concern. Risk is highest where users can execute code from user-writable locations (Downloads/Temp) and where monitoring for Defender tampering/update failures is limited.

Q4) What is the patch status?
BlueHammer is reported as patched by Microsoft (April 2026 updates). RedSun and UnDefend are reported as unpatched at the time of writing—so fully patched systems may still remain exposed to those two techniques.

Q5) What are the most useful indicators to monitor right now?
Prioritize telemetry for Defender-initiated SYSTEM-level process execution, unexpected remediation activity touching protected paths, exploit execution from user-writable directories, and repeated/stalled Defender engine or signature update failures.

Q6) What immediate mitigations can reduce risk while waiting for patches?
Apply April 2026 Defender updates (for BlueHammer), restrict execution from user-writable directories, enforce Attack Surface Reduction (ASR) rules where feasible, and increase alerting for Defender tamper/update anomalies and abnormal remediation behavior.

Q7) If we suspect exploitation, what response actions should we take?
Isolate the affected endpoint(s), preserve relevant logs/telemetry, validate Defender health (engine/signature currency and update success), look for evidence of SYSTEM-level persistence or lateral movement, and remediate/rebuild per incident response procedures before returning systems to service.