{"id":635,"date":"2026-04-17T14:38:36","date_gmt":"2026-04-17T14:38:36","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=635"},"modified":"2026-04-17T14:38:36","modified_gmt":"2026-04-17T14:38:36","slug":"three-microsoft-defender-zero-days-actively-exploited-two-still-unpatched","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=635","title":{"rendered":"Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 17, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Endpoint Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjJ8x3Yg0CYomOu1IpHfhfmiqJtgaMSnnoE2tJR6RdXGIy1rLRTORge-ukCLYkEj6xzeGTvmuy-68qfU4me_nG7pvwZi21h7ycQFwY3OXCH1_p_g35BAYeaHdz3uRKJD2mQCjUIcxha2WzMePpup2VHarxZVxy3QNtaRAjET-2FK7GemiuvyI8MpNPFVyEQ\/s1700-e365\/defender.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Huntress is <a href=\"https:\/\/x.com\/HuntressLabs\/status\/2044882050314817880\">warning<\/a> that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems.<\/p>\n<p>The activity involves\u00a0the exploitation of three vulnerabilities that are codenamed <a href=\"https:\/\/github.com\/Nightmare-Eclipse\/BlueHammer\">BlueHammer<\/a> (requires GitHub sign-in), <a href=\"https:\/\/github.com\/Nightmare-Eclipse\/RedSun\">RedSun<\/a>, and <a href=\"https:\/\/github.com\/Nightmare-Eclipse\/UnDefend\">UnDefend<\/a>, all of which were released as zero-days by a researcher known as Chaotic Eclipse (aka Nightmare-Eclipse) in response to Microsoft&#8217;s handling of the vulnerability disclosure process.<\/p>\n<p>While both BlueHammer and RedSun are local privilege escalation (LPE) flaws impacting Microsoft Defender, UnDefend can be used to trigger a denial-of-service (DoS) condition and effectively block definition updates.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-blindspot-d-2\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjXdwBgwvGAvD2t1bXXwTy6zsfnReMp12VglYCBAv0j9Tc0_gLKPqF5HJO1kOv26ZcGRlQJ1kRXGvtIusmtnUGUjonzq8YEigkMhMJvk_Cta9TYHzMvqVfa5SvoH-Z9-kw5VEH8sPeI1YKKrzFeNYp0Cn7mEGMn6PXOs0waZDIWKI5nccOxPyJR8MDQMasu\/s728-e100\/nudge-d-2.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Microsoft moved to address BlueHammer as part of its Patch Tuesday updates released earlier this week. The vulnerability is being tracked under the CVE identifier CVE-2026-33825. However, the other flaws do not have a fix as of writing.<\/p>\n<p>In a series of posts shared on X, Huntress said it observed all three flaws being exploited in the wild, with BlueHammer being weaponized since April 10, 2026, followed by the use of RedSun and UnDefend proof-of-concept (PoC) exploits on April 16.<\/p>\n<p>\u00abThese invocations followed after typical enumeration commands: whoami \/priv, cmdkey \/list, net group, and others that indicate hands-on-keyboard threat actor activity,\u00bb it added.<\/p>\n<p>The cybersecurity vendor said it has taken steps to isolate the affected organization to prevent further post-exploitation. The Hacker News has reached out to Microsoft for comment, and we will update the story if we hear back.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 17, 2026Vulnerability \/ Endpoint Security Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems.&hellip;<\/p>\n","protected":false},"author":1,"featured_media":636,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[201,1246,128,147,721,53],"class_list":["post-635","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-actively","tag-defender","tag-exploited","tag-microsoft","tag-unpatched","tag-zerodays"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/635","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=635"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/635\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/636"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=635"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=635"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=635"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}