REDMOND, Washington, April 18, 2026, 09:31 PDT
- Hackers used three publicly released Microsoft Defender exploit tools in at least one real intrusion.
- Microsoft has patched BlueHammer, tracked as CVE-2026-33825, but RedSun and UnDefend remain without fixes in the reports.
- The flaws matter because Defender runs with deep Windows privileges, turning a security tool into a path for higher access.
Hackers have used three recently disclosed Microsoft Defender flaws in real attacks, escalating concern over public exploit code that can turn a Windows security tool against the systems it is meant to protect. Huntress said its analysts saw BlueHammer, RedSun and UnDefend binaries staged in a user’s Pictures and Downloads folders after an initial compromise through a FortiGate VPN.
The timing is the problem. One flaw was fixed this week, but two others still had no patch in the cited reports, leaving administrators to rely on monitoring and containment while exploit code is already public. A zero-day is a flaw disclosed or used before a vendor has a fix ready.
The issue also lands at the center of Microsoft’s endpoint security business. Defender ships with Windows and is widely used in corporate fleets, while rivals such as CrowdStrike and Sophos published Patch Tuesday guidance on the Defender bug, a sign that the episode is now part of the broader endpoint-protection race rather than just a Microsoft patch note.
TechCrunch reported that hackers broke into at least one organization using vulnerabilities released online by a researcher known as Chaotic Eclipse, also called Nightmare-Eclipse. It said Huntress had tracked use of BlueHammer, UnDefend and RedSun, while the target and the attackers’ identity remained unclear.
BlueHammer is now tracked as CVE-2026-33825. The U.S. National Vulnerability Database describes it as an access-control weakness in Microsoft Defender that lets an authorized local attacker elevate privileges; it carries a CVSS score of 7.8, rated high.
RedSun appears more awkward for defenders. CloudSEK said the flaw lets a standard user redirect Defender’s own file-restore operation into System32, a protected Windows folder, and run attacker-controlled code as SYSTEM, the powerful Windows service account used by the operating system. CloudSEK said it confirmed the issue on Windows 11 25H2 Build 26200.8246 and said it may affect other Windows versions.
UnDefend is different. BleepingComputer reported it can be used by a standard user to block Microsoft Defender definition updates, which are the frequent malware-signature updates that help antivirus tools catch new threats. RedSun and BlueHammer are local privilege escalation flaws, meaning an attacker already on a machine can try to gain higher rights.
Huntress said the intrusion had “hands-on-keyboard” activity, meaning a person appeared to be actively issuing commands rather than relying only on automated malware. The Hacker News reported that commands included whoami /priv, cmdkey /list and net group, tools attackers use to check privileges, stored credentials and domain groups after gaining access. The Hacker News
John Hammond, a Huntress researcher tracking the case, told TechCrunch the public code created “ready-made attacker tooling” and put defenders in a “race with our adversaries.” Microsoft communications director Ben Hope told the outlet the company supports “coordinated vulnerability disclosure,” the process in which researchers privately report bugs so vendors can patch before details go public. TechCrunch
Help Net Security said Chaotic Eclipse released BlueHammer on April 3, Microsoft pushed a fix on April 14, and RedSun and UnDefend proof-of-concept exploits were published on April 16. A proof of concept is demonstration code that shows a flaw works; once public, it can also help attackers move faster.
The risk is not only the flaws themselves. Huntress said attackers often begin with weak VPN access, and Dray Agha, senior manager of tactical response at Huntress, said “roughly 70%” of active intrusions its SOC catches begin with VPN authentication. In the Defender case, Huntress said analysts saw a compromised FortiGate VPN before the exploit tools appeared. Huntress
But exploitation still appears to require a foothold on the target machine, so the most likely near-term damage depends on how well organizations control initial access, VPN logins and local user rights. The open questions are how many systems have been hit, whether Microsoft will issue an emergency update for RedSun and UnDefend, and how quickly attackers modify the public code to evade detection.
