Microsoft Corporation is currently managing a significant security crisis as three critical vulnerabilities in Microsoft Defender, dubbed BlueHammer, RedSun, and UnDefend, are being actively exploited in the wild. As of April 20, 2026, cybersecurity researchers from Huntress Labs and other threat intelligence firms have confirmed that attackers are weaponizing these flaws to gain administrative control over Windows systems and degrade endpoint protections.
The first vulnerability, BlueHammer, was assigned CVE-2026-33825 and addressed during the April 2026 Patch Tuesday cycle on April 14. BlueHammer is a local privilege escalation (LPE) flaw that exploits a time-of-check to time-of-use (TOCTOU) race condition within Defender’s signature update and file remediation workflow. By abusing the interaction between the Volume Shadow Copy Service (VSS), the Windows Cloud Files API, and opportunistic locks (oplocks), an attacker can redirect a Defender-initiated file rewrite to a privileged system path. This allows a low-privileged user to achieve NT AUTHORITY\SYSTEM access. Microsoft released the fix in Antimalware Platform version 4.18.26050.3011. Despite the release of a patch, telemetry indicates that thousands of unpatched enterprise systems remain vulnerable.
While BlueHammer has been partially mitigated by the recent update, the vulnerabilities known as RedSun and UnDefend remain unpatched as of April 20. RedSun is a separate LPE exploit that targets a logic error in MpSvc.dll, the core Malware Protection Engine. It abuses Defender’s behavior when handling cloud-tagged malicious files, forcing the service to overwrite protected system binaries like TieringEngineService.exe with attacker-controlled code. Security analyst Will Dormann confirmed that RedSun remains effective on fully patched Windows 10, Windows 11, and Windows Server 2022 systems, as it does not rely on a traditional memory corruption bug but rather a design-level failure in file handling.
The third exploit, UnDefend, provides a different attack vector by targeting Defender’s update pipeline. It allows a standard user to trigger a denial-of-service condition that blocks the antivirus from receiving new signature definitions. By utilizing multiple locking mechanisms on the Definition Updates staging directory, UnDefend prevents the MsMpEng.exe process from loading new protection data, effectively leaving the system blind to emerging threats. Researchers from SOCRadar noted that UnDefend can even spoof the status of the Microsoft Defender console to show a healthy state while the system is actually unprotected, a technique that complicates incident response and detection.
The public disclosure of these exploits originated in early April 2026, when a researcher using the alias Chaotic Eclipse released proof-of-concept code on GitHub. The researcher stated the leak was a protest against the Microsoft Security Response Center (MSRC) and its handling of vulnerability reports. Microsoft has issued a statement emphasizing its support for coordinated vulnerability disclosure but has not yet provided a timeline for the remaining patches. Organizations are currently advised to enforce application control policies, such as blocking unsigned executables in user-writable paths like Downloads and Pictures, to break the exploit chain.