Microsoft Defender Zero-Days Exploited: Two Still Unpatched

Emily Davis · 2026-04-17

Security researchers are raising alarms about a fresh wave of attacks targeting Microsoft Defender. Huntress recently warned that cybercriminals are actively exploiting three zero-day vulnerabilities in this widely used security tool. The goal? To gain elevated privileges on compromised systems, which could let attackers bypass defenses and take full control. These flaws go by the codenames BlueHammer, RedSun, and UnDefend. They were all released as zero-days by a researcher known as Chaotic Eclipse. The scary part? Two of these vulnerabilities still don't have official patches from Microsoft. That means your system could be at risk right now if you're running Microsoft Defender without extra precautions. ### What Are These Vulnerabilities? Let's break down what we know about each one. BlueHammer targets specific components in Microsoft Defender to escalate privileges. It requires a GitHub sign-in to access the proof-of-concept code, but that doesn't stop determined attackers. RedSun is another privilege escalation bug, though details are sparse. UnDefend is the most concerning because it actively disables Defender's protections, leaving your system wide open. Think of it like this: your security software is supposed to be the lock on your front door. These exploits are like picking that lock from the inside, then propping the door open for other malware to waltz right in. Not great.  ### How Are Attackers Using These Flaws? Huntress observed that threat actors chain these exploits together. They start by gaining initial access through a phishing email or a malicious download. Then, they use one of these zero-days to elevate their privileges from a regular user to an administrator. Once they have admin rights, they can disable security features, steal data, or install ransomware. This is a classic attack pattern, but the use of unpatched zero-days makes it especially dangerous. Traditional antivirus tools might not catch these exploits because they're brand new and unknown to signature databases. ### What Should You Do to Stay Safe? Here are some practical steps you can take right now: - **Update Microsoft Defender manually**: Check for updates daily, even if automatic updates are enabled. Microsoft sometimes releases emergency patches outside of Patch Tuesday. - **Enable cloud-delivered protection**: This feature uses real-time threat intelligence to block new attacks faster. - **Limit user privileges**: Don't give everyone admin access. Use standard accounts for daily work and reserve admin accounts for specific tasks. - **Use an antidetect browser**: For sensitive operations, consider using a browser that masks your digital fingerprint. This makes it harder for attackers to target you based on your system configuration. - **Monitor for unusual activity**: Watch for unexpected privilege escalation attempts or processes trying to disable security software. ### Why This Matters for Your Business If you're running a business in the United States, these exploits are a direct threat to your bottom line. A successful attack could lead to data breaches, compliance fines, and downtime that costs thousands of dollars per hour. The fact that two vulnerabilities remain unpatched means the window of risk is still wide open. Security experts recommend treating this as a critical incident. Even if you haven't been affected yet, proactive measures can save you from a world of hurt down the road. Don't wait for a patch to drop before taking action. ### The Bigger Picture This situation highlights a growing trend: attackers are targeting security tools themselves. By exploiting flaws in antivirus software, they can blind defenders before launching more destructive attacks. It's a smart but scary strategy. The takeaway? No single tool can protect you completely. A layered approach with antidetect browsers, strict access controls, and regular updates is your best bet. Stay vigilant, and don't assume your security software is invincible. Stay safe out there.