A critical security situation has emerged involving Microsoft Defender, as threat actors have begun weaponizing three recently disclosed zero-day vulnerabilities. The flaws, which were released publicly by a researcher known as Chaotic Eclipse (or Nightmare-Eclipse), stem from a dispute over Microsoft’s vulnerability disclosure protocols. While Microsoft has addressed one of the issues in its most recent update cycle, two remaining vulnerabilities continue to pose a significant risk to unpatched systems.

The Origin of the ‘Chaotic’ Disclosures

The vulnerabilities—codenamed BlueHammer, RedSun, and UnDefend—entered the public domain as zero-days after the researcher expressed dissatisfaction with Microsoft’s handling of the reporting process. This unconventional release provided threat actors with an immediate window of opportunity. Security firm Huntress has confirmed that these flaws are not merely theoretical; they have been observed in active, hands-on-keyboard attacks since early April 2026.

Technical Breakdown: Escalation and Denial of Service

The three vulnerabilities target different aspects of the Defender ecosystem, ranging from privilege elevation to the disruption of security updates. Security analysts have categorized the risks as follows:

• BlueHammer (CVE-2026-33825): A local privilege escalation (LPE) flaw that allows an attacker with limited access to gain higher-level permissions on a compromised host.
• RedSun: Another LPE vulnerability that remains unpatched, enabling attackers to elevate their control over the targeted environment.
• UnDefend: A Denial-of-Service (DoS) exploit that effectively neutralizes Defender’s ability to receive and apply new security definitions, leaving the system blind to emerging threats.

Observation of Hands-on-Keyboard Activity

According to telemetry from Huntress, the exploitation of BlueHammer began as early as April 10, 2026. By April 16, proof-of-concept exploits for RedSun and UnDefend were also seen in use. Attackers have been observed using typical enumeration commands such as whoami /priv and net group immediately following the exploitation of these flaws. This behavior indicates that the vulnerabilities are being used as a foothold for deeper lateral movement within enterprise networks.

Current Patch Status and Recommendations

As of the latest reports, Microsoft has officially patched the BlueHammer vulnerability via CVE-2026-33825 in the recent Patch Tuesday updates. However, RedSun and UnDefend do not currently have an official fix. Microsoft has stated they are committed to investigating reported issues and protecting customers, but they continue to emphasize the importance of coordinated vulnerability disclosure to prevent such zero-day scenarios. Organizations are advised to monitor their endpoint logs for unusual privilege escalation activity and isolate high-risk systems until full remediation is available.

In conclusion, the exploitation of these Defender zero-days highlights the ongoing tension between independent researchers and major software vendors. With two of the three flaws still lacking a patch, administrators must remain vigilant and prioritize the deployment of existing updates to mitigate at least one of the primary attack vectors.