**Huntress** has reported active exploitation of three security vulnerabilities in Microsoft Defender, potentially leading to elevated privileges on compromised systems. The vulnerabilities, known as **BlueHammer**, **RedSun**, and **UnDefend**, were initially disclosed as zero-days by a researcher, Chaotic Eclipse (aka Nightmare-Eclipse), due to concerns about Microsoft's vulnerability disclosure handling. ### Vulnerability Details * **BlueHammer**: A local privilege escalation (LPE) flaw in Microsoft Defender. * **RedSun**: Another LPE vulnerability affecting Microsoft Defender. * **UnDefend**: Can trigger a denial-of-service (DoS) condition, preventing definition updates. ### Patch Status and CVE Information **Microsoft** has addressed BlueHammer as part of its Patch Tuesday updates. The vulnerability is tracked as **CVE-2026-33825**. As of this writing, RedSun and UnDefend remain unpatched. ### In-the-Wild Exploitation Huntress observed active exploitation of all three vulnerabilities. BlueHammer was reportedly weaponized starting April 10, 2026, with RedSun and UnDefend proof-of-concept (PoC) exploits appearing on April 16. According to Huntress, the exploitation attempts were preceded by reconnaissance commands, indicating hands-on-keyboard activity by threat actors. > "These invocations followed after typical enumeration commands: whoami /priv, cmdkey /list, net group, and others that indicate hands-on-keyboard threat actor activity," Huntress stated. ### Mitigation Measures Huntress has taken steps to isolate the affected organization to prevent further post-exploitation activities. ### Microsoft's Response Microsoft confirmed that the BlueHammer exploit has been addressed via CVE-2026-33825. > "Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon aspossible," a Microsoft spokesperson said. "We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."