Three Windows Defender Zero-Days: Two Unpatched and Actively Exploited (April 2026)

Introduction

Windows Defender is the default antivirus on virtually every Windows device on the planet — Windows 10, Windows 11, and Windows Server. It's free, it runs with SYSTEM privileges, and most small businesses rely on it as their sole endpoint protection layer.

In April 2026, a single security researcher turned that trust into a liability. Over the course of 13 days, three zero-day exploits targeting Microsoft Defender were released publicly. One has been patched. Two remain unpatched and are being actively exploited in the wild.

This isn't theoretical. Huntress Labs has confirmed real-world intrusions using these techniques. If your business runs Windows and relies on Defender, you need to understand what just happened and what you can do about it.

What Happened: The Disclosure Timeline

The story begins with a security researcher operating under the alias Chaotic Eclipse (also known as Nightmare-Eclipse). According to public statements and security researchers who analysed the disclosure, Chaotic Eclipse reported vulnerabilities to Microsoft's Security Response Center (MSRC) but became frustrated with the handling of the disclosure process — reportedly including a demand for a video demonstration of the exploit.

Rather than wait, the researcher published working proof-of-concept exploit code on GitHub. What followed was a rapid escalation:

• April 3–7, 2026: PoC code for BlueHammer released publicly.
• April 10, 2026: Huntress Labs observes active exploitation of BlueHammer in real customer environments.
• April 14, 2026: Microsoft patches BlueHammer (CVE-2026-33825) as part of April Patch Tuesday.
• April 16, 2026: Chaotic Eclipse releases RedSun and UnDefend, citing frustration that the BlueHammer patch was credited without addressing underlying systemic issues.
• April 16, 2026: Huntress confirms active exploitation of RedSun and UnDefend in the wild.

As of April 22, 2026, two of the three exploits have no patch and no CVE assignment.

The Three Exploits Explained

BlueHammer (CVE-2026-33825) — Patched

CVSS 7.8 | Severity: High

BlueHammer abuses a race condition in Defender's threat remediation logic. When Defender detects a file it considers malicious, it attempts to quarantine or remove it using SYSTEM-level privileges. The flaw exists because Defender validates the target file path at one moment but doesn't re-validate it when it actually performs the write operation.

The attacker places a file that triggers a Defender detection, then uses a filesystem technique called an opportunistic lock (oplock) to pause Defender at the critical moment. During this pause, the attacker redirects the file path to a protected system directory like C:\Windows\System32. When Defender resumes, it follows the redirected path and overwrites a system binary with attacker-controlled code — all with SYSTEM privileges.

Microsoft patched this in Defender Antimalware Platform update version 4.18.26030.3011, delivered through April 2026 cumulative updates.

RedSun — Unpatched

RedSun is arguably more dangerous than BlueHammer because it remains unpatched and reportedly works with near-100% reliability on fully updated Windows 10, Windows 11, and Windows Server 2019+ systems.

Instead of targeting Defender's file remediation directly, RedSun abuses Defender's handling of cloud-tagged files — file placeholders managed by the Windows Cloud Files API (used by OneDrive and other sync providers). When Defender encounters what it believes is a cloud-tagged malicious file, it attempts to roll it back to its original location as part of remediation. Critically, Defender doesn't validate whether the restoration target remains in a safe location.

The attacker creates a crafted file that appears to be cloud-tagged, triggers a Defender detection, then redirects the rollback path to C:\Windows\System32\TieringEngineService.exe. Defender restores the attacker's code as a SYSTEM binary. The attacker then triggers execution through the tiering engine, achieving full SYSTEM-level code execution from a standard user account.

Because this abuses the Cloud Files API rather than Defender's traditional file operations, it's a completely separate attack surface — and patching BlueHammer doesn't touch it.

UnDefend — Unpatched

UnDefend doesn't escalate privileges. Instead, it silently degrades Defender's ability to protect you.

This exploit targets Defender's signature and engine update pipeline. In passive mode, it blocks signature updates so Defender can't learn about new threats. In aggressive mode, it targets major Defender platform updates in an attempt to make Defender stop responding entirely.

The most insidious aspect: Defender's management console and the Windows Security app may still report the endpoint as healthy and up to date even though its threat intelligence is frozen. An attacker who compromises a system can use UnDefend to blind Defender, then operate undetected for days or weeks.

Why This Matters for Your Business

There are three reasons this should concern every organisation running Windows:

1. Defender is your first and often only line of defence

Most small and mid-sized businesses run Defender because it's built-in, free, and effective against commodity malware. These exploits prove that the security tool itself can become the attack vector. When Defender runs as SYSTEM — which it must, to do its job — any flaw in Defender is a direct path to full system compromise.

2. Two exploits remain unpatched with active exploitation

Huntress Labs confirmed on April 16 that threat actors are already using RedSun and UnDefend in real intrusions. There is no patch. There is no timeline from Microsoft. Your fully patched, up-to-date Windows systems are vulnerable right now.

3. These techniques chain together

Security analysts have observed attack patterns that suggest these exploits are being used sequentially: first gain SYSTEM access via BlueHammer or RedSun, then deploy UnDefend to suppress detection, then proceed with lateral movement, credential theft, and ransomware deployment — all while Defender reports that everything is fine.

What You Should Do Right Now

Immediate Actions (This Week)

1. Apply the April 2026 Patch Tuesday updates immediately

   • This fixes BlueHammer. Open Windows Update and ensure the April cumulative update and Defender platform update 4.18.26030.3011 are installed.

2. Deploy supplemental endpoint detection and response (EDR)

   • The CSA and Huntress both recommend that organisations running Defender as their sole protection should deploy a second layer of EDR immediately. Defender alone cannot detect or prevent RedSun and UnDefend until Microsoft patches them.

3. Restrict execution from user-writable directories

   • All observed exploit binaries originated from user-writable locations like Downloads, Pictures, and Temp. Use AppLocker or Windows Defender Application Control (WDAC) to block untrusted executables from running in these locations.

4. Enable Attack Surface Reduction (ASR) rules

   • ASR rules can block many of the child-process and credential-theft behaviours that follow successful exploitation. Ensure ASR rules are in audit or block mode, not just configured but disabled.

Monitoring and Detection (Ongoing)

5. Monitor for stalled Defender updates

   • Check Windows Security → Virus & threat protection → Protection updates. If signatures haven't updated in 24+ hours, investigate immediately. UnDefend may be in play.

6. Enable process creation logging with command-line auditing

   • This is essential for detecting the creation of suspicious temp directories (e.g., %TEMP%\RS-{GUID}) and the staging of files like TieringEngineService.exe in user-writable paths.

7. Watch for Defender-initiated SYSTEM-level process execution

   • Normal Defender operations shouldn't spawn interactive processes or write to C:\Windows\System32 from user directories.

8. Deploy Sysmon with a solid baseline configuration

   • Sysmon can capture the filesystem manipulation, junction creation, and oplock activity that precedes successful exploitation. Security teams should specifically monitor Event IDs 1 (process creation), 11 (file creation), and 12/13 (registry events).

Strategic (Next 30 Days)

9. Review your endpoint security architecture

   • If Defender is your only protection, this is your wake-up call. Defence in depth means multiple layers. Consider Microsoft Defender for Endpoint (P2), a third-party EDR, or a managed detection and response (MDR) service.

10. Test your incident response playbook

    • If an attacker gains SYSTEM and disables your antivirus, do you have detection beyond the endpoint? Network monitoring, SIEM alerts, and behavioural analytics become critical when local defences fail.

What Happens Next

Microsoft has not issued a public timeline for patching RedSun or UnDefend. The researcher who disclosed them has indicated further releases are possible if MSRC's handling of disclosure doesn't improve. The GitHub repositories containing proof-of-concept code remain publicly accessible.

For defenders, the uncomfortable reality is this: your built-in antivirus has become an attack surface, and two of the three known exploits have no fix. The only immediate protection is layered defence, aggressive monitoring, and a security architecture that doesn't assume any single tool is invulnerable.

The Bottom Line

April 2026 will be remembered as the month Windows Defender's trust model was stress-tested in public. BlueHammer was patched, but RedSun and UnDefend remain active threats. For businesses that rely on Defender as their sole endpoint protection, the message is clear: patch what you can, supplement what you can't, and monitor everything.

If you're unsure whether your endpoints are properly protected or your monitoring is catching the right signals, now is the time to find out — not after an incident.

---

Sources and Further Reading

• Cloud Security Alliance — Defender Triple Zero-Day: BlueHammer, RedSun, and UnDefend
• The Hacker News — Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
• Huntress Labs — Nightmare-Eclipse Tooling Seen in Real-World Intrusion
• GuardSix — Detection Strategy for BlueHammer, RedSun, and UnDefend
• ProArch — Security Advisory: Microsoft Defender Zero-Day Vulnerabilities
• Microsoft MSRC — CVE-2026-33825
• State of Surveillance — One Researcher, Three Defender Zero-Days, 13 Days