RedSun and UnDefend Exploits Leave Windows Defender Vulnerable; Patches Absent Weeks After BlueHammer Fix

Summary

A researcher operating under the aliases Nightmare-Eclipse and Chaotic Eclipse has disclosed three working exploits targeting Microsoft Defender within a 12-13 day period in April 2026. While the first exploit, BlueHammer, was patched under CVE-2026-33825 during the April Patch Tuesday cycle, two subsequent exploits—RedSun and UnDefend—remain unpatched with no CVE identifiers assigned and no official Microsoft remediation timeline. Security firm Huntress has confirmed all three exploits have been used in real-world intrusions.

The three exploits form a cohesive offensive workflow that escalates privileges, executes arbitrary code with SYSTEM rights, and disables Defender's detection capabilities. The BlueHammer patch addresses only the first component, leaving organizations that applied April updates still fully exposed to two-thirds of the toolkit. Contrary to some consumer media reporting, these exploits do not require physical access—they can be triggered by any user-level shell access, such as from phishing, malware downloads, or compromised VPN credentials.

• Microsoft has issued no official patch timeline, with the next Patch Tuesday weeks away from the disclosure date

Editorial Opinion

The disclosure of RedSun and UnDefend represents a critical gap in Microsoft's vulnerability response infrastructure. While the company patched BlueHammer promptly, the existence of two related exploits with no CVE assignments or patches weeks after disclosure raises serious questions about coordinated disclosure practices and patch release cadence. Organizations should not wait for official patches before assessing their exposure to local privilege escalation risks through Defender itself.