REDMOND, Washington, April 18, 2026, 09:31 PDT
- At least one intrusion involved hackers leveraging three exploit tools for Microsoft Defender that had already been made public.
- Microsoft issued a fix for BlueHammer, listed as CVE-2026-33825. However, there’s still no patch for either RedSun or UnDefend, according to the reports.
- Those flaws are significant: Defender operates with broad Windows privileges, potentially turning a protective tool into a route for escalated access.
Three fresh Microsoft Defender vulnerabilities have already been put to work by attackers, raising alarm over public exploit code that flips a core Windows security tool into a threat itself. Huntress analysts spotted BlueHammer, RedSun, and UnDefend binaries stashed in a user’s Pictures and Downloads directories—these files appeared after the initial breach, traced back to a FortiGate VPN.
Timing’s the sticking point here. This week brought a patch for one vulnerability, yet two others mentioned in the reports remain unpatched—admins have to watch and contain threats while exploit code circulates in the wild. A zero-day means the flaw’s out—public or already used—before any vendor patch exists.
This one hits right in Microsoft’s endpoint security core. Defender comes bundled with Windows and is a staple across business devices. Now, competitors like CrowdStrike and Sophos are issuing their own Patch Tuesday notes about the Defender flaw—a shift that marks the incident as a front in the larger endpoint-protection battle, not just another Microsoft update blip.
According to TechCrunch, hackers exploited vulnerabilities published online by the researcher Chaotic Eclipse, also known as Nightmare-Eclipse, to breach at least one organization. Huntress observed active use of BlueHammer, UnDefend, and RedSun, but so far the identities of both the victim and the perpetrators haven’t been disclosed.
The U.S. National Vulnerability Database has assigned CVE-2026-33825 to BlueHammer, flagging it as a privilege escalation flaw in Microsoft Defender. According to the NVD, this access-control issue could let a local attacker with prior authorization gain elevated privileges. The CVSS rating comes in at 7.8—high.
RedSun puts defenders in a tougher spot. According to CloudSEK, the vulnerability allows an ordinary user to hijack Defender’s file-restore feature, directing it into System32—a locked-down folder in Windows. That move gives the attacker’s code SYSTEM-level privileges, the same as the core Windows service account. CloudSEK tested and verified the bug on Windows 11 25H2 Build 26200.8246, but said other Windows versions could also be exposed.
UnDefend stands apart. According to BleepingComputer, a regular user could exploit it to stop Microsoft Defender from receiving its malware-signature updates—the updates that keep antivirus protections fresh. As for RedSun and BlueHammer, both are local privilege escalation bugs, letting someone with access to a device push for elevated permissions.
According to Huntress, the breach showed signs of “hands-on-keyboard” involvement—an attacker was directly typing in commands, not just deploying automated malware. The Hacker News detailed specific commands, including whoami /priv, cmdkey /list, and net group, which let intruders inspect privileges, sift through stored credentials, and review domain groups once inside. The Hacker News
John Hammond, a researcher at Huntress who’s been following the situation, described the public code as “ready-made attacker tooling” that kicked off a “race with our adversaries.” Microsoft communications director Ben Hope, speaking to TechCrunch, said the company is in favor of “coordinated vulnerability disclosure”—that’s when researchers alert vendors to bugs privately so patches can be rolled out before any details become public. TechCrunch
Chaotic Eclipse rolled out BlueHammer on April 3, according to Help Net Security. Microsoft followed with a patch on April 14. Just two days later, RedSun and UnDefend proof-of-concept exploits surfaced on April 16. A proof of concept—essentially demo code—shows a vulnerability is real, and its publication can speed up attacker activity.
There’s more at play here than just vulnerabilities. According to Huntress, attackers frequently get their start by exploiting weak VPN credentials. Dray Agha, who leads tactical response at the firm, put it bluntly: “roughly 70%” of ongoing intrusions spotted by their SOC stem from VPN authentication. In the Defender incident, Huntress analysts noticed a breached FortiGate VPN—well before any exploit tools surfaced. Huntress
Still, attackers seem to need a way onto the target machine first. So in the short run, the real risk hinges on how tightly organizations manage things like VPN credentials, initial entry points, and what users can do locally. It’s unclear how widespread the hits are, or if Microsoft plans an emergency patch for RedSun and UnDefend. Another uncertainty: how soon threat actors will tweak the public exploit code to slip past defenses.
