HIGH: Three Microsoft Defender Zero-Days Chain Into SYSTEM Takeover With Two Still Unpatched

Pour one out for the idea of an endpoint defender you can actually trust. Three zero-days in Microsoft Defender, codenamed BlueHammer, RedSun, and UnDefend, surfaced in rapid succession this month, and two of them remain unpatched with the next scheduled Patch Tuesday still nearly four weeks out. The first has been under active exploitation since April 10. The other two followed on April 16 after a researcher operating under the handle Chaotic Eclipse, also known as Nightmare-Eclipse, dumped working proof-of-concept code onto the public internet in response to what he described as Microsoft's sluggish handling of his disclosures.

Microsoft got one of them into the April 14 Patch Tuesday drop. That was CVE-2026-33825, tracked internally as BlueHammer, and carrying a CVSS v3.1 base score of 7.8 under the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The NVD classifies it as CWE-1220, insufficient granularity of access control, and the description is about as terse as these things get. An authorized local attacker can elevate privileges because of a race condition in how the Defender remediation logic cleans up suspect files. Microsoft Defender Antimalware Platform versions earlier than 4.18.26030.3011 are vulnerable, which means essentially every managed Windows endpoint on the planet until the platform update rolled out this month.

The other two are where this story stops being a routine privilege-escalation write-up and starts looking like something you would normally see in an APT case study. RedSun, the second local privilege escalation in the trio, abuses Defender's own cloud-tagged file handling to achieve SYSTEM. It leverages a combination of the Cloud Files API, opportunistic file locks, Volume Shadow Copy coordination, and directory junctions to coerce Defender's remediation writes into protected system paths. That is a remarkable sentence to have to write about an antivirus engine. The agent you pay to protect the machine becomes the vehicle for owning the machine, and the exploit remains effective on fully patched systems as of publication. UnDefend, the third and arguably the most interesting member of the family, does not escalate privileges at all. It induces a denial-of-service condition inside Defender's signature and engine update pipeline. The practical effect is that Defender continues to report healthy status back to management consoles while it silently falls behind on definitions and detection logic. The endpoint looks green in the dashboard. It is not.

String the three together and the attack chain writes itself. An operator who already has low-privileged local access, which in the incidents Huntress has documented is most commonly obtained through compromised SSL-VPN credentials, fires UnDefend first. Defender's intel goes stale without tripping any alarm. RedSun then escalates the foothold to SYSTEM using a now-crippled Defender that cannot recognize its own abuse. By the time any detection logic might have caught the post-exploitation behavior, Defender is already broken and the attacker is already NT AUTHORITY\SYSTEM. Huntress telemetry shows the familiar on-keyboard fingerprints immediately afterward. Operators running whoami /priv to enumerate their new token, then cmdkey /list to scrape stored credentials, then net group to map domain context. None of that is novel tradecraft. What is novel is the supporting cast. The endpoint security agent has been turned into both a lock and a key.

The disclosure saga behind all of this is worth the price of admission on its own. Chaotic Eclipse publicly accuses Microsoft of mishandling his reports, and the two still-unpatched vulnerabilities have no assigned CVE identifiers, no public CVSS scores, and no committed patch timeline. Microsoft's on-the-record response, offered to reporters, sticks to the expected script about being committed to investigating reported security issues and updating impacted devices to protect customers as soon as possible, and about supporting coordinated vulnerability disclosure practices. Those two sentences are doing a lot of work, because the researcher's position is that coordinated disclosure is precisely what broke down. Until Microsoft ships out-of-band fixes or releases configuration guidance, defenders are on their own until May 13.

Who is exposed is a short list that happens to include almost everyone. Anyone running a recent build of Windows with Microsoft Defender as the primary or secondary antimalware agent, which covers most of the corporate world. If you are on the April 14 Defender Antimalware Platform update at 4.18.26030.3011 or later, BlueHammer is closed. RedSun and UnDefend are not. There are no patches to apply and no toggles to flip. The practical mitigation posture, at least until May's updates, is a tightening exercise. Treat any local access on a Windows host as potentially ruinous rather than merely inconvenient, because the chain assumes the attacker already has a shell and turns that shell into SYSTEM. Harden the identity layer that feeds into it, because the Huntress incidents consistently started with a valid VPN credential. Enforce phishing-resistant multi-factor authentication on every remote access path that touches a Windows workstation, and pair that with conditional access policies that flag unfamiliar devices and impossible-travel sign-ins.

Detection engineering deserves an equal amount of attention right now. If Defender is reporting healthy but its signature timestamp has not advanced in 24 hours, that is a high-fidelity indicator rather than a housekeeping annoyance. Alert on it. Build hunting queries around the enumeration triad Huntress flagged, because whoami /priv, cmdkey /list, and net group firing in the same session on a non-admin account is the unmistakable sound of an operator taking inventory after a successful escalation. If you run EDR from a second vendor alongside Defender, verify that its tamper protection and update channel are independent of the Defender pipeline, because an UnDefend-style DoS against Defender only matters if nothing else is watching. A second opinion has rarely been this valuable.

For enterprises with the muscle, consider moving Defender tamper protection and update servicing to a hardened management stance. Application control policies that restrict which binaries can open oplocks on cloud-synced locations will frustrate RedSun specifically, because the exploit leans on the Cloud Files API to coerce the vulnerable remediation path. Disabling cloud synchronization clients on sensitive endpoints is a bigger hammer, and one that costs productivity, but it is on the table for high-value hosts until RedSun ships a fix. None of this replaces a patch. It buys time.

For the managed services crowd, this is the exact kind of story that sells managed detection and response upgrades and identity threat detection. A client who asks how they are supposed to defend against a vulnerability that has no patch is ready to hear about tamper-resistant secondary EDR, about monitoring the VPN and SaaS layers that precede local escalation, and about continuous Defender health telemetry as a billable service rather than a free add-on. Tabletop exercises focused on credential theft and local privilege escalation chains also keep delivering value every time an event like this lands, because the discussion writes itself. What happens when our endpoint agent lies to us about its own health. Who owns that detection gap. How quickly can we isolate a SYSTEM-compromised host from the domain. If those answers are not crisp, there is a services engagement in that conversation for whoever asks the questions first.

Expect this story to keep evolving. An out-of-band Defender platform update is not out of the question given the chaining potential and the attention the researcher's public disclosure has drawn. Until then, assume the agent you relied on to watch the endpoint is, at best, distracted.