BlueHammer, RedSun, and UnDefend: Three Windows Defender Zero-Days Exploited in the Wild

Three Windows Defender vulnerabilities disclosed as zero-days in April 2026 are now being actively exploited: BlueHammer, RedSun, and UnDefend.

All three vulnerabilities were published without patches as Proof-of-Concept (PoC) exploits by an anonymous security researcher protesting their treatment by Microsoft’s Security Response Center. One has since been patched; two remain open. Attackers have already used them on real targets to reach full SYSTEM-level control of compromised machines.

How Were These Zero-Days Released?

The exploits were released by an alleged researcher going by the names “Chaotic Eclipse” and “Nightmare Eclipse” in a deliberate act of protest against how Microsoft’s MSRC handled their vulnerability reports. The researcher alleges that rather than coordinating a responsible fix, Microsoft actively threatened and mistreated them.

What Did Microsoft Say?

The researcher contends that Microsoft was fully aware a public disclosure was coming, a case had been filed and dismissed, yet did nothing. Microsoft’s official response to press inquiries was a generic statement about supporting coordinated vulnerability disclosure, which the researcher dismissed as evidence that MSRC “was fully aware of this public disclosure” and chose to remain “ignorant.”

Could More Disclosures Be Coming?

The researcher also warned that more disclosures, potentially including remote code execution vulnerabilities, could follow: “I will personally make sure that it gets funnier every single time Microsoft releases a patch.” Whether this is a credible threat or not, organizations should treat it as a signal that the situation is ongoing and unresolved.

What Are BlueHammer, RedSun, and UnDefend?

The three vulnerabilities target different aspects of Windows Defender, and together they form a potent chain: one escalates privileges, one disrupts the ability to detect new threats, and a third provides an alternative escalation path that survives the only patch released so far.

BlueHammer (CVE-2026-33825)

BlueHammer is a local privilege escalation flaw rooted in a race condition within Defender’s threat remediation engine. When Defender detects a malicious file and begins cleanup, it performs privileged file operations without validating the target path at write time. BlueHammer exploits this with an opportunistic lock (oplock) that pauses the operation mid-flight, then inserts an NTFS junction point redirecting the write from a temporary directory to C:WindowsSystem32. When Defender resumes under its SYSTEM privileges, it overwrites a legitimate system binary with an attacker payload.

Details of CVE-2026-33825 – BlueHammer vulnerability (SOCRadar Vulnerability Intelligence)

The vulnerability was assigned a CVSS score of 7.8 and disclosed on April 7, 2026, prior to any official fix, making it a true zero-day at the time. Microsoft patched it as part of the April 2026 Patch Tuesday updates and tracks it as CVE-2026-33825.

RedSun

RedSun is a second local privilege escalation technique, this time abusing Defender’s cloud file rollback mechanism. The full PoC is available on GitHub. When Defender identifies a file with a cloud tag, it attempts to restore the file to its original location, but without validating where that location actually points.

The exploit triggers a detection using a crafted file, replaces it with a cloud placeholder via the Windows Cloud Files API, then uses the same combination of oplocks and NTFS junction points to redirect Defender’s privileged write to C:WindowsSystem32TieringEngineService.exe. The system then executes the attacker-planted binary as SYSTEM.

SYSTEM is achieved after running the RedSun PoC exploit, as shown on the GitHub advisory

Security expert Will Dormann has confirmed that the exploit works reliably on fully patched Windows 10, Windows 11, and Windows Server 2019 and later, specifically noting that any system with cldapi.dll is affected. RedSun remains unpatched.

UnDefend

UnDefend takes a different approach: rather than escalating privileges, it can be run by a standard (unprivileged) user to block Defender from receiving definition updates. Over time, this silently degrades the antivirus protection on a system, making it increasingly blind to new malware. UnDefend also remains unpatched.

Strengthen Visibility With SOCRadar Before Exploits Spread Further

Cases like this show how quickly public exploit details can turn into real attack activity. SOCRadar Cyber Threat Intelligence helps defenders follow exploit availability, attacker interest, and technical developments around newly disclosed vulnerabilities. At the same time, Attack Surface Management helps security teams understand which exposed systems, remote access points, or overlooked assets may increase risk in practice.

Track the latest CVEs & exploits with SOCRadar’s Vulnerability Intelligence

For organizations concerned about post-compromise activity, Dark Web Monitoring can add another layer of awareness by surfacing leaked credentials or suspicious underground mentions tied to their environment.

How Does the RedSun Exploit Work Technically?

Windows Defender is supposed to neutralize threats, but its cloud file handling logic contains a behavior that effectively lets an attacker weaponize the antivirus against the operating system itself.

The RedSun exploit takes advantage of a counterintuitive quirk in Windows Defender: when it detects a malicious file marked with a cloud tag, it accidentally saves it right back where it found it. Attackers can abuse this automatic restore function to overwrite critical Windows files and take over the system. “The PoC abuses this behaviour to overwrite system files and gain administrative privileges,” says the alleged researcher.

Step-by-Step Exploit Chain

The RedSun exploit proceeds through the following stages:

1. Drops a file that triggers a Defender detection.
2. Replaces the file with a cloud placeholder using the Cloud Files API, writing an EICAR test string to signal it as “cloud-backed.”
3. Sets up an oplock to pause execution at the moment Defender begins its rollback.
4. During the pause, inserts an NTFS directory junction redirecting the write path toward C:WindowsSystem32TieringEngineService.exe.
5. Releases the oplock, causing Defender to follow the junction and overwrite the legitimate binary with the attacker’s payload, running the write under its own SYSTEM-level privileges.
6. The Cloud Files Infrastructure then executes the planted binary as SYSTEM.

Can the Exploit Be Detected by Antivirus?

Dormann noted that some antivirus vendors were initially detecting the PoC on VirusTotal because the executable contained an embedded EICAR test string. He demonstrated that encrypting the EICAR string within the binary substantially reduced detection rates, illustrating how easy it is to evade static analysis of the exploit itself.

Post by Will Dormann on Mastodon

Are These Exploits Being Used in Real Attacks?

Yes. Huntress Labs confirmed that all three exploits have been observed in real-world attacks. BlueHammer has been in active use since at least April 10, 2026. UnDefend and RedSun were both found on a Windows device that had been compromised via a hijacked SSLVPN user account.

What Does the Attack Pattern Look Like?

Instead of relying on automated malware, the attackers were actively typing commands to explore the compromised network. Huntress observed them manually running standard system checks, including whoami /priv, cmdkey /list, and net group. To stop the attack in its tracks, Huntress isolated the affected organization from the network.

Which Systems Are Affected?

The affected scope for RedSun and UnDefend is broad: Windows 10 (all supported versions), Windows 11 (all supported versions), and Windows Server 2016 through 2025, provided Windows Defender is enabled — which it is by default on virtually every installation. Any system with cldapi.dll present is potentially vulnerable to RedSun.

How to Protect Your Systems

Immediate Actions

• Apply the April 2026 Patch Tuesday updates immediately to address BlueHammer (CVE-2026-33825).
• Monitor for signs of privilege escalation attempts, particularly sequences involving whoami, cmdkey, and network enumeration commands.
• Treat any SSLVPN or remote access credential compromise as a high-severity incident, given these exploits can convert a foothold into full SYSTEM access trivially.
• Watch for security vendor advisories, as patches for RedSun and UnDefend may arrive out-of-band.

Understanding the Broader Risk

Researchers note that the three exploits are best understood as a chain rather than isolated issues: BlueHammer or RedSun to gain SYSTEM, UnDefend to quietly degrade Defender’s detection over time. Together, this combination allows an attacker to entrench themselves while the host’s defenses gradually go blind, making early detection and isolation critical.