Two Windows Defender Zero-Days Still Unpatched as Attackers Exploit All Three

Three critical vulnerabilities in Windows Defender — codenamed BlueHammer, RedSun, and UnDefend — have all been confirmed in active exploitation since at least 10 April 2026. Microsoft has patched only one of them. As two flaws remain unaddressed, Australian organisations running fully updated Windows systems are still exposed right now.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

What Are the Three Windows Defender Zero-Days?

On 17 April 2026, threat researchers at Help Net Security and Huntress Labs confirmed that three distinct zero-day vulnerabilities affecting Microsoft Defender were being actively exploited across corporate networks. All three were publicly disclosed by a security researcher operating under the aliases "Chaotic Eclipse" and "Nightmare Eclipse" — more on their motivation later. Together, the trio represent a uniquely dangerous combination: one allows attackers to gain full SYSTEM privileges on a local machine, a second does the same through a different code path, and the third silently cripples the very antivirus protection meant to detect them.

BlueHammer (CVE-2026-33825) — Patched

BlueHammer is a local privilege escalation vulnerability rooted in a race condition inside Defender's threat remediation engine. When Defender detects and begins cleaning up a malicious file, it performs privileged file operations without validating the target path at the moment of writing. An attacker can exploit this with an opportunistic lock (oplock) that pauses the remediation operation mid-flight, then inserts an NTFS junction point redirecting the write to C:\Windows\System32. When Defender resumes — still running under SYSTEM privileges — it overwrites a legitimate system binary with an attacker-controlled payload.

BlueHammer has been exploited in the wild since at least 10 April 2026. Microsoft addressed it as part of this month's Patch Tuesday release, so any system that has applied April 2026 updates is protected against this specific variant. If you have not yet applied this month's patches, do so immediately.

RedSun — Unpatched

RedSun is a second local privilege escalation flaw, and as of today it remains without a patch from Microsoft. It exploits the interaction between several legitimate Windows subsystems: the Cloud Files API, opportunistic file locks, Volume Shadow Copy coordination, and directory junctions. By combining these features in a specific sequence, an attacker can cause Defender — again operating with SYSTEM privileges — to overwrite protected system files with attacker-controlled code.

What makes RedSun particularly alarming is that it works on fully patched Windows systems, even those that have applied every available update including BlueHammer's fix. There is currently no official remediation available from Microsoft.

UnDefend — Unpatched

UnDefend targets Defender's update mechanism rather than its remediation engine. A local user — even one with standard or low-level access — can abuse this flaw to block or disrupt Defender's ability to download and apply new malware definition updates. The practical effect is that the antivirus protection on affected systems gradually becomes stale, reducing its ability to detect new malware and leaving a growing detection gap that attackers can exploit.

Huntress Labs confirmed UnDefend in active use on a compromised Windows device where attackers had gained an initial foothold via a hijacked SSL VPN user account. UnDefend also remains unpatched.

How Attackers Are Chaining These Vulnerabilities

The real-world attack sequence Huntress Labs documented is instructive. Adversaries first gained network access through a compromised SSL VPN account — almost certainly obtained via credential theft or phishing. Once inside, they moved to a Windows endpoint and ran a series of reconnaissance commands: whoami /priv to enumerate privilege levels, cmdkey /list to discover cached credentials, and net group to map out Active Directory group memberships.

From there, they deployed UnDefend to weaken Defender's detection capability before executing the privilege escalation chain. By the time the compromise was detected, the attackers had lateral movement opportunities throughout the network.

This attack chain highlights a crucial lesson: VPN credentials are the front door to your network. When those credentials are weak, reused, or not protected by multi-factor authentication, an entire enterprise can be at risk. Using a reputable VPN service with strong encryption and a strict no-logs policy — such as NordVPN — adds a meaningful layer of protection for remote workers and small teams, ensuring that traffic is encrypted and that your connection point to the internet is not itself a liability.

Equally important is eliminating the credential theft vector entirely. The cmdkey /list discovery step in these attacks only yields results when employees store passwords locally or reuse credentials across services. A dedicated password manager like NordPass keeps credentials in an encrypted vault — removing cached passwords from individual machines and making lateral movement through credential harvesting significantly harder.

Why This Is Especially Serious for Australian Organisations

Australia's cybersecurity posture has been under sustained pressure in 2026. The Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) have both noted an increase in targeted intrusions against enterprise Windows environments, with threat actors specifically seeking to escalate privileges and establish persistence before deploying ransomware or exfiltrating data.

The Defender zero-days are dangerous in this context for a specific reason: Defender is the default antivirus and endpoint protection tool on every Windows installation. Unlike third-party security products that require separate procurement and configuration, Defender is present on virtually every Australian business workstation and server running Windows. That ubiquity is usually a strength — but when Defender itself is the attack surface, no Windows machine is inherently safer than any other.

Mid-sized Australian businesses, many of which rely heavily on Windows desktops and do not have dedicated endpoint detection and response (EDR) tools beyond Defender, face the greatest immediate risk. A successful UnDefend attack against their fleet could quietly disarm their primary defence layer without triggering any alert.

The Researcher Behind the Disclosures

All three vulnerabilities were discovered and publicly released by a researcher going by "Chaotic Eclipse" (later also "Nightmare Eclipse"). The circumstances of the disclosure are noteworthy: the researcher alleges that after reporting the vulnerabilities to Microsoft's Security Response Center (MSRC) through responsible disclosure channels, Microsoft actively threatened and mistreated them rather than coordinating a timely fix.

In protest, the researcher chose to release proof-of-concept exploit code publicly — a decision that immediately handed active threat actors working exploits for unpatched flaws. This approach, sometimes called "full disclosure" or "protest disclosure," is controversial in the security community. Regardless of the researcher's motivations, the practical outcome is that two critical Defender vulnerabilities are now in the hands of adversaries with no patch available from Microsoft.

The situation underscores a systemic problem in coordinated vulnerability disclosure: when large vendors are slow or hostile in their handling of researcher reports, the incentive to follow responsible disclosure processes erodes. The victims, ultimately, are the users and organisations that depend on the affected software.

What Australian Businesses and Home Users Should Do Right Now

With two of the three flaws still unpatched, there is no single silver-bullet fix. However, a layered approach can substantially reduce your exposure.

1. Apply April 2026 Patch Tuesday Updates Immediately

BlueHammer (CVE-2026-33825) is patched in the April 2026 cumulative update. If you have not already applied it, do so now via Windows Update or your enterprise patch management system. This does not address RedSun or UnDefend, but removing one of the three active exploits from your attack surface is meaningful progress.

2. Enable and Enforce MFA on All VPN and Remote Access Points

The attack chain Huntress Labs observed began with a compromised VPN credential. Multi-factor authentication on every remote access point would have broken this chain before it started. Review your remote access policies and enforce MFA without exception.

3. Audit and Remove Cached Credentials

The cmdkey /list reconnaissance step yields useful information for attackers only if credentials are cached locally. Audit your endpoints for stored credentials and remove unnecessary ones. Mandate use of a password manager so that employees are not relying on Windows Credential Manager as a vault.

4. Deploy a Supplementary EDR Solution

Because UnDefend can impair Defender's detection capability, organisations that rely solely on Defender are particularly exposed. Consider deploying a supplementary endpoint detection and response solution alongside Defender. Many enterprise-grade EDR tools can detect the behavioural patterns associated with privilege escalation attempts even when Defender is partially disabled.

5. Monitor for Indicators of Compromise

Huntress Labs has published indicators of compromise (IoCs) associated with all three exploits. Feed these into your SIEM or log management platform and alert on process executions matching the known patterns. Key behavioural indicators include: unusual oplock creation by Defender processes, unexpected writes to System32 by Defender, and failures or delays in Defender definition updates.

6. Segment Your Network

Privilege escalation on a single endpoint is damaging; lateral movement across a flat network is catastrophic. Network segmentation limits the blast radius of a successful compromise. Ensure critical systems, domain controllers, and file servers are not directly reachable from general workstation subnets. A VPN with split-tunnelling controls — such as those offered by NordVPN — can help smaller organisations enforce segmented traffic routing without the overhead of a full enterprise network overhaul.

When Will Microsoft Patch the Remaining Flaws?

As of the time of writing, Microsoft has not issued an emergency out-of-band patch for RedSun or UnDefend, nor has it confirmed a timeline for their remediation. The next scheduled Patch Tuesday is in May 2026. Given that both flaws are confirmed in active exploitation, there is pressure on Microsoft to release an accelerated fix, but no commitment has been made publicly.

Monitor the Microsoft Security Response Center portal and subscribe to the ACSC's alerts and advisories feed at cyber.gov.au for updates. If Microsoft releases an out-of-band patch before May Patch Tuesday, apply it as an emergency priority.

The Broader Lesson: Your Layered Defences Matter

The BlueHammer, RedSun, and UnDefend story is a stark reminder that no single security tool — not even the antivirus built into your operating system — should be your only line of defence. When that tool is itself compromised and two of the three active exploits remain unpatched, organisations with no other controls are fully exposed.

Security in depth means combining patching discipline, strong credential management, network monitoring, encrypted communications, and supplementary detection tools. The organisations least likely to fall victim to these exploits are those that had those layers in place before the vulnerabilities were publicly disclosed — not those scrambling to respond after the fact.

If your organisation's security posture needs a refresh, start with the fundamentals: patch everything patchable, protect every credential with a dedicated password manager, and ensure your network traffic is encrypted and monitored. The tools to do this exist and are more affordable than the cost of a breach.