Attackers exploit three Microsoft Defender zero-days, code-named BlueHammer, RedSun, and UnDefend, to gain elevated access.

Attackers are exploiting three recently disclosed zero-day flaws in Microsoft Defender to gain higher privileges on compromised systems. The vulnerabilities, called BlueHammer, RedSun, and UnDefend, were revealed by a researcher known as Chaotic Eclipse after criticizing Microsoft’s handling of the disclosure.

Chaotic Eclipse also published proof-of-concept code for the unpatched Windows bug.

BlueHammer and RedSun let attackers escalate privileges locally in Microsoft Defender. UnDefend instead triggers a denial-of-service, blocking security definition updates and weakening protection.

At this time, Microsoft has only fixed the BlueHammer flaw, tracked as CVE-2026-33825, but the others remain unpatched.

Huntress researchers reported attackers are exploiting the three Windows flaws to target systems, though the victims and attackers remain unknown.

Huntress said it saw real-world exploitation of all three flaws. Attackers used BlueHammer starting April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.

Researchers believe attackers are using public exploit code released online by Chaotic Eclipse.

Huntress said attackers started exploiting BlueHammer on April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.

When exploit code becomes publicly available, threat actors can quickly weaponize it in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft defender)

Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “BlueHammer.” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited flaw that can lead to remote code execution.

Redmond warns that attackers are already targeting CVE-2026-32201, a vulnerability in Microsoft SharePoint Server that allows attackers to spoof trusted content or interfaces over a network.

Mike Walters, president and co-founder of Action1, said CVE-2026-32201 can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments.

“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said. “The presence of active exploitation significantly increases organizational risk.”

Microsoft also addressed BlueHammer (CVE-2026-33825), a privilege escalation bug in Windows Defender. According to BleepingComputer, the researcher who discovered the flaw published exploit code for it after notifying Microsoft and growing exasperated with their response. Will Dormann, senior principal vulnerability analyst at Tharros, says he confirmed that the public BlueHammer exploit code no longer works after installing today’s patches.

Satnam Narang, senior staff research engineer at Tenable, said April marks the second-biggest Patch Tuesday ever for Microsoft. Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025.

Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft today “a new record in that category” because it includes nearly 60 browser vulnerabilities. Barnett said it might be tempting to imagine that this sudden spike was tied to the buzz around the announcement a week ago today of Project Glasswing — a much-hyped but still unreleased new AI capability from Anthropic that is reportedly quite good at finding bugs in a vast array of software.

But he notes that Microsoft Edge is based on the Chromium engine, and the Chromium maintainers acknowledge a wide range of researchers for the vulnerabilities which Microsoft republished last Friday.

“A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities,” Barnett said. “We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.”

Finally, no matter what browser you use to surf the web, it’s important to completely close out and restart the browser periodically. This is really easy to put off (especially if you have a bajillion tabs open at any time) but it’s the only way to ensure that any available updates get installed. For example, a Google Chrome update released earlier this month fixed 21 security holes, including the high-severity zero-day flaw CVE-2026-5281.

For a clickable, per-patch breakdown, check out the SANS Internet Storm Center Patch Tuesday roundup. Running into problems applying any of these updates? Leave a note about it in the comments below and there’s a decent chance someone here will pipe in with a solution.

A researcher released a working ‘BlueHammer’ Windows zero-day exploit that could impact over 1 billion devices, granting SYSTEM-level access and leaving no patch yet.

The post ‘BlueHammer’ Exploit Targets Windows, Potentially Impacting 1 Billion+ Devices appeared first on TechRepublic.

A researcher leaked the unpatched Windows zero-day “BlueHammer,” letting attackers gain SYSTEM rights; no patch exists yet.

A disgruntled researcher released the BlueHammer Windows zero-day, a privilege escalation flaw that allows attackers to gain SYSTEM or admin rights, Bleeping Computer reports.

The researcher privately reported the vulnerability to Microsoft but criticized the way the Microsoft’s Security Response Center (MSRC) managed the disclosure process. On April 3rd, the expert published the BlueHammer exploit on GitHub under the alias Nightmare-Eclipse. Microsoft hasn’t released a patch, so the flaw qualifies as a zero-day and leaves Windows systems open to potential attacks.

“I’m just really wondering what was the math behind their decision, like you knew this was going to happen and you still did whatever you did ? Are they serious ?” reads the description published in the Github repository hosting the BlueHammer vulnerability.

Nightmare-Eclipse pointed out that he inserted a few bugs in the PoC exploit code that could prevent it from working.

Popular cybersecurity experts Will Dormann confirmed that the BlueHammer exploit works. It’s a local privilege escalation (LPE) flaw combining TOCTOU and path confusion. The exploitation is not easy, however it can let a local attacker access the Security Account Manager (SAM) database with password hashes. With this access, attackers can escalate to SYSTEM privileges, potentially fully compromising the machine and spawning SYSTEM-level shells to control the system.

“There’s a new Windows 0day LPE that has been disclosed called BlueHammer [github.com]. The reporter suggests [deadeclipse666.blogspot.com] that it’s being disclosed due to how MSRC operates these days.” Dormann wrote on Mastodon. “MSRC used to be quite excellent to work with.
But to save money Microsoft fired the skilled people, leaving flowchart followers.
I wouldn’t be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that’s apparently an MSRC requirement now.”

Even though BlueHammer needs local access, it poses a serious risk, attackers can reach the system via social engineering, stolen credentials, or by exploiting other vulnerabilities

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BlueHammer)