Three privilege escalation zero-days targeting Microsoft Defender are being actively exploited against Windows 10, Windows 11, and Windows Server environments right now. Huntress Labs confirmed hands-on-keyboard threat actor activity beginning April 10, 2026, following initial access through a compromised FortiGate SSL VPN with a Russian-geolocated source IP. Microsoft patched one of the three flaws — CVE-2026-33825 (BlueHammer) — in its April 2026 Patch Tuesday. RedSun and UnDefend remain completely unpatched as of May 12, 2026. All three exploits share the same end state: a low-privileged local attacker achieves SYSTEM-level access on any targeted Windows machine. For SMBs without dedicated security staff, that is the difference between an inconvenient phishing click and a full ransomware deployment.

What Happened

The three exploits — collectively tracked under the “Nightmare-Eclipse” toolset published by researcher “Chaotic Eclipse” after a dispute with Microsoft’s Security Response Center — each attack Windows Defender through different mechanisms but converge on the same result: SYSTEM-level code execution from a low-privileged user account.

CVE-2026-33825 (BlueHammer) abuses a TOCTOU (Time-of-Check Time-of-Use) race condition in Defender’s remediation pipeline. The attack sequence works as follows: the attacker places a file that triggers a Defender detection, then applies an NTFS opportunistic lock (oplock) to freeze Defender’s file operation mid-execution. While paused, the attacker creates an NTFS junction point that redirects Defender’s target path to C:\Windows\System32. When the oplock releases, Defender — running under its SYSTEM privileges — writes to the redirected system directory. The attacker’s payload overwrites a legitimate system binary. The exploit affects Microsoft Defender Antivirus versions 4.18.26020.6 and earlier and is patched by updating to version 4.18.26020.7 or later via the April 2026 cumulative update.

RedSun exploits Defender’s cloud-tag behavior to overwrite system files and achieve the same SYSTEM-level escalation. No patch is available. UnDefend takes a different approach entirely: rather than executing attacker code directly, it uses four concurrent locking mechanisms to permanently block all Defender definition updates, leaving the endpoint blind to any subsequent malware payloads. No patch exists for UnDefend either.

CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog on April 22, 2026, with a federal patch deadline of May 7. Public proof-of-concept exploit code for all three vulnerabilities was published to GitHub by the same researcher, reducing the technical bar for exploitation significantly.

Affected platforms span the full Windows footprint: Windows 10 (all supported versions), Windows 11 (all supported versions), Windows Server 2016, 2019, 2022, and 2025 — any system running Defender Antivirus prior to the April 2026 update. The observed intrusion chain runs: initial access via compromised VPN credentials or phishing, local user foothold, BlueHammer or RedSun LPE to SYSTEM, UnDefend deployed to disable Defender signature updates, then full system compromise enabling ransomware deployment or persistent backdoor installation.

Who Is Affected

Any organization running Windows is in scope. That is not hyperbole — Microsoft Defender ships enabled by default on every modern Windows installation and cannot be removed without degrading the system’s security posture. Unlike vulnerabilities targeting niche third-party software, this cluster hits the security layer every Windows machine relies on.

SMBs face compounding risk here. Patching cadence at smaller organizations is typically slower than at enterprise environments with dedicated patch management infrastructure. Many SMB environments rely on Defender as their primary or sole endpoint security product, meaning a successful UnDefend deployment leaves the machine with no effective malware detection. The initial access vector — compromised VPN credentials or phishing — is the exact attack path most commonly used against SMB targets. A single employee account compromise, combined with these exploits, provides an attacker an unobstructed path from low-privileged workstation access to full SYSTEM control within minutes.

The confirmed Russian-geolocated source IP in the Huntress Labs intrusion report adds geopolitical context relevant to US-based businesses. Two of the three exploits in this cluster have no vendor patch and no announced timeline for one, meaning this risk window will remain open for an indeterminate period.

Remediation Checklist

1. Apply the Microsoft April 2026 Patch Tuesday cumulative update immediately to all Windows 10, Windows 11, and Windows Server 2016/2019/2022/2025 systems. This is the only available patch and it addresses CVE-2026-33825 (BlueHammer).
2. Verify Microsoft Defender Antivirus is at version 4.18.26020.7 or later on every endpoint. Check via Windows Security > Virus and Threat Protection > Protection Updates. Systems still running 4.18.26020.6 or earlier are vulnerable to BlueHammer even if the OS cumulative update has been applied separately.
3. Enable automatic Defender definition updates across all managed endpoints. Do not pin, defer, or disable signature updates. UnDefend specifically targets and disables this update channel, so monitoring for definition update failures is an early warning signal.
4. Deploy or verify an Endpoint Detection and Response (EDR) solution capable of detecting local privilege escalation attempts, NTFS junction point abuse, oplock-based exploit behavior, and unexpected writes to C:\Windows\System32 by non-administrative processes.
5. Audit local user account permissions on all Windows systems. Enforce least-privilege consistently — standard users should not hold rights beyond what their role requires. These exploits require only a low-privileged local account to succeed, so reducing unnecessary local privileges limits the attacker’s starting position.
6. Rotate SSL VPN and remote access credentials immediately if any anomalous activity has been observed on FortiGate, Cisco, Palo Alto, or other VPN platforms. Enforce MFA on all remote access solutions without exception.
7. Monitor for these specific indicators: unexpected writes to C:\Windows\System32, Defender definition update failures (possible UnDefend activity), NTFS junction point creation by non-administrative processes, and unexpected SYSTEM-level process creation from low-privileged parent processes.
8. Enable Windows Defender Attack Surface Reduction (ASR) rules and Credential Guard on systems where RedSun and UnDefend exposure cannot be mitigated by other controls. These measures limit post-exploitation impact while patches remain unavailable.
9. Isolate any Windows system showing signs of privilege escalation or unexpected SYSTEM-level process activity immediately. Treat it as compromised and initiate forensic investigation before returning it to production.
10. Subscribe to Microsoft Security Response Center (MSRC) notifications for out-of-band patches for RedSun and UnDefend. When patches are released, treat them as emergency updates requiring same-day deployment.

Strategic Recommendations

The structural problem this cluster exposes is not the specific vulnerabilities — it is the dependency on a single security layer. Defender as the sole endpoint security control is insufficient for any environment facing modern threat actors. An EDR product that can detect behavioral anomalies — oplock abuse, NTFS junction manipulation, privilege escalation patterns — would have flagged BlueHammer and RedSun activity before SYSTEM-level access was achieved. UnDefend’s definition-blocking behavior is detectable through monitoring of Defender’s update telemetry, but only if that telemetry is being collected and reviewed.

VPN credential hygiene deserves equal emphasis. The confirmed intrusion in this cluster started with a compromised FortiGate SSL VPN credential. Phishing and credential theft remain the most reliable initial access methods against SMB targets, and reducing that risk requires layered controls: MFA on all remote access, regular credential rotation, and anomaly detection on authentication logs. An attacker who cannot establish that initial foothold cannot reach the privilege escalation stage.

The two unpatched zero-days in this cluster — RedSun and UnDefend — create an ongoing exposure window with no vendor timeline for resolution. Organizations need to operate on the assumption that sophisticated attackers have these tools and will use them. Compensating controls — EDR behavioral detection, ASR rules, network segmentation, and least-privilege enforcement — must close the gap that patches cannot yet address. Waiting for a patch before acting is not a viable posture when exploitation is already confirmed in the wild.

Our team is tracking this cluster and will update clients through our managed detection and response service as new patches or IOCs emerge. If your environment has not been assessed for these specific attack patterns, that assessment should happen this week, not next month.

How Lone Wolf Networks Can Help

Our managed detection and response service monitors endpoint telemetry continuously for the behavioral patterns associated with BlueHammer, RedSun, and UnDefend — including oplock abuse, NTFS junction point creation, Defender update failures, and unexpected SYSTEM-level process chains. We have added detection rules specific to the Nightmare-Eclipse toolset to our monitoring stack.

Through our vulnerability management program, we identify unpatched systems and prioritize remediation based on active exploitation status. For clients with Windows Server environments or VPN-dependent workforces, we conduct credential audit reviews and remote access hardening as part of ongoing engagements.

Our security awareness training addresses the phishing and credential theft vectors that provide initial access in attacks like this one. Most intrusions in this cluster started with a compromised credential — training reduces that risk at the source.

For organizations concerned about Microsoft 365 and Entra ID exposure in post-exploitation scenarios — where SYSTEM-level access on a workstation enables credential harvesting from browser sessions and cached tokens — our Microsoft 365 security hardening service addresses those lateral movement paths specifically.

If you believe your environment may have been targeted or need an immediate assessment, contact us directly. Our incident response capability is available for organizations that need hands-on investigation. Additional advisories and technical context are available on the LWN blog.

References

• Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched — The Hacker News (April 16, 2026)
• Nightmare-Eclipse Tooling Seen in Real-World Intrusion — Huntress Labs (April 16, 2026)
• CISA Orders Feds to Patch Microsoft Defender Flaw Exploited in Zero-Day Attacks — Bleeping Computer (April 22, 2026)
• Recently Leaked Windows Zero-Days Now Exploited in Attacks — Bleeping Computer (April 16, 2026)
• BlueHammer and RedSun: Windows Defender CVE-2026-33825 Zero-Day Explained — Picus Security (April 17, 2026)
• CVE-2026-33825 Detail — NIST National Vulnerability Database (April 7, 2026)
• When the Defender Becomes the Door: BlueHammer, RedSun, and UnDefend in the Wild — Vectra AI (April 20, 2026)
• CISA Adds CVE-2026-33825 to Known Exploited Vulnerabilities Catalog — CISA (April 22, 2026)
• CVE-2026-33825 — Microsoft Security Response Center