Huntress is warning that risk actors are exploiting three lately disclosed security flaws in Microsoft Defender to achieve elevated privileges in compromised techniques.
The exercise includes the exploitation of three vulnerabilities which are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which had been launched as zero-days by a researcher generally known as Chaotic Eclipse (aka Nightmare-Eclipse) in response to Microsoft’s dealing with of the vulnerability disclosure course of.
Whereas each BlueHammer and RedSun are native privilege escalation (LPE) flaws impacting Microsoft Defender, UnDefend can be utilized to set off a denial-of-service (DoS) situation and successfully block definition updates.
Microsoft moved to handle BlueHammer as a part of its Patch Tuesday updates launched earlier this week. The vulnerability is being tracked underneath the CVE identifier CVE-2026-33825. Nevertheless, the opposite flaws don’t have a repair as of writing.
In a collection of posts shared on X, Huntress mentioned it noticed all three flaws being exploited within the wild, with BlueHammer being weaponized since April 10, 2026, adopted by means of RedSun and UnDefend proof-of-concept (PoC) exploits on April 16.
“These invocations adopted after typical enumeration instructions: whoami /priv, cmdkey /listing, internet group, and others that point out hands-on-keyboard risk actor exercise,” it added.
The cybersecurity vendor mentioned it has taken steps to isolate the affected group to forestall additional post-exploitation. The Hacker Information has reached out to Microsoft for remark, and we are going to replace the story if we hear again.
