Ongoing Exploitation Campaigns Highlight Serious Risks in Endpoint Protection and Privilege Escalation Defenses
Security researchers have identified three actively exploited zero-day vulnerabilities affecting Microsoft Defender, raising serious concerns for endpoint security.
These vulnerabilities—named BlueHammer, RedSun, and UnDefend—are already being used by threat actors in real-world attacks.
While one flaw has been patched, two vulnerabilities remain unaddressed, leaving systems exposed to continued exploitation.
VULNERABILITY OVERVIEW
Key Zero-Day Flaws
- BlueHammer (CVE-2026-33825)
- Type: Local Privilege Escalation (LPE)
- Status: Patched
- Risk: Allows attackers to gain elevated system privileges
- RedSun
- Type: Local Privilege Escalation (LPE)
- Status: Unpatched
- Risk: Enables privilege escalation after initial access
- UnDefend
- Type: Denial-of-Service (DoS)
- Status: Unpatched
- Risk: Blocks Defender updates, weakening security posture
ACTIVE EXPLOITATION
Real-World Attack Activity
Security researchers observed that all three vulnerabilities are already being exploited in the wild:
- BlueHammer exploitation began around April 10, 2026
- RedSun and UnDefend followed shortly after with proof-of-concept (PoC) usage
Attackers are leveraging these flaws during post-compromise phases to strengthen their control over infected systems.
ATTACK BEHAVIOR
Indicators of Hands-On-Keyboard Activity
Observed attack patterns include execution of common reconnaissance and privilege-check commands such as:
- whoami /priv
- cmdkey /list
- net group
These commands indicate that attackers already have initial access and are actively escalating privileges and exploring the environment.
WHY THIS IS CRITICAL
Endpoint Security Being Turned Against Itself
These vulnerabilities directly affect a core security tool, which makes the risk significantly higher.
As a result, attackers can:
- Escalate privileges within the system
- Disable or weaken security protections
- Maintain persistence without detection
Patch Gap Increases Exposure
Although BlueHammer has been patched, the lack of fixes for RedSun and UnDefend creates a dangerous window of opportunity.
Therefore, organizations remain vulnerable even if they apply the latest updates.
POTENTIAL IMPACT
- Privilege Escalation: Full administrative control of systems
- Defense Evasion: Blocking antivirus updates and protections
- Post-Exploitation Expansion: Easier lateral movement across networks
RECOMMENDED ACTIONS
Immediate Security Measures
- Apply the latest updates addressing CVE-2026-33825
- Monitor systems for unusual privilege escalation activity
- Detect execution of reconnaissance commands
- Restrict administrative privileges wherever possible
Detection & Monitoring
- Watch for abnormal Defender behavior (e.g., update failures)
- Monitor command-line activity linked to privilege enumeration
- Use EDR/XDR tools to identify suspicious post-exploitation actions
KEY TAKEAWAY
These vulnerabilities demonstrate a critical shift in attacker strategy:
➡️ Instead of bypassing security tools, attackers are exploiting them directly
With active exploitation already underway and incomplete patch coverage, organizations must rely on continuous monitoring and layered defenses to reduce risk.