Security researchers at Huntress are tracking active exploitation of three zero-day vulnerabilities in Microsoft Defender, two of which remain without an official patch. The flaws — internally codenamed BlueHammer, RedSun, and a third currently unnamed vulnerability — all enable local privilege escalation on compromised Windows systems, allowing attackers who have gained an initial foothold to rapidly escalate to SYSTEM-level access.
The warning comes less than a week after the April 2026 Patch Tuesday cycle, raising questions about Microsoft's vulnerability disclosure and patching cadence for its own flagship endpoint protection product.
The Three Vulnerabilities
BlueHammer
BlueHammer was publicly disclosed by a disgruntled security researcher who leaked proof-of-concept exploit code rather than following coordinated disclosure. The vulnerability enables an attacker with standard user privileges to escalate to SYSTEM by exploiting a flaw in Defender's kernel-level driver interaction.
Microsoft issued a patch for BlueHammer in the April 2026 Patch Tuesday batch. However, Huntress observed active exploitation of the flaw beginning approximately 18 hours after the patch was released — suggesting threat actors reverse-engineered the fix to reconstruct a working exploit.
Organizations that have not yet applied the April 2026 cumulative update remain fully exposed.
RedSun
RedSun was disclosed via a separate proof-of-concept that appeared on GitHub in early April 2026. The flaw exploits a race condition in Microsoft Defender's real-time protection scanning mechanism to write attacker-controlled data to a privileged process context.
RedSun currently has no patch. Microsoft has acknowledged the vulnerability and confirmed it is under active exploitation, but has not committed to an out-of-band patch schedule. The next regular Patch Tuesday is in May 2026.
Huntress reports observing RedSun exploitation attempts in customer telemetry beginning April 14, 2026.
Third Unnamed Vulnerability
A third Defender privilege escalation flaw — which Huntress has not yet publicly named — was identified through analysis of exploit toolkits recovered from compromised systems. The vulnerability appears to be a distinct code path from both BlueHammer and RedSun, suggesting threat actors have either independently discovered or purchased access to multiple Defender zero-days.
This vulnerability also has no patch. Microsoft has not yet publicly acknowledged it at the time of this writing.
Who Is Exploiting These Flaws?
Huntress has not publicly attributed the exploitation activity to a specific threat actor group. However, the combination of characteristics — rapid post-patch exploitation of BlueHammer and pre-patch exploitation of RedSun — suggests access to a financially motivated threat actor with significant exploit development resources, or a broker-supplied zero-day toolkit.
Privilege escalation flaws in endpoint protection software are particularly valuable to ransomware operators. Defender runs at a highly privileged level; compromising it enables attackers to:
- Disable real-time protection silently without triggering alerts
- Inject into protected processes for lateral movement
- Evade EDR detection by targeting the detection engine itself
- Achieve SYSTEM-level persistence before defenders can respond
Affected Versions
Microsoft has not published a comprehensive list of affected Defender versions. Based on Huntress telemetry, exploitation has been confirmed against:
- Windows 10 (versions 22H2 and earlier with unpatched cumulative updates)
- Windows 11 (all supported versions with unpatched cumulative updates)
- Windows Server 2019 and 2022 with Defender enabled
Enterprise deployments using Microsoft Defender for Endpoint (the cloud-connected EDR version) may receive additional telemetry-based detection, but are not immune to the underlying local privilege escalation if the endpoint itself is compromised.
Mitigation Guidance
Immediate Actions
- Apply the April 2026 Patch Tuesday cumulative update immediately — this patches BlueHammer and reduces the overall attack surface
- Enable Microsoft Defender tamper protection — prevents unauthorized modification of Defender settings from user-level processes
- Audit privileged process interactions — look for anomalous parent-child process relationships involving MsMpEng.exe (the Defender antimalware service)
- Restrict local user privileges — ensure end users do not run as local administrators, raising the bar for privilege escalation attacks
- Monitor for Defender service manipulation — alert on attempts to stop, disable, or modify Defender registry keys
Detection Queries
For environments using Microsoft Sentinel or Defender for Endpoint advanced hunting:
// Detect potential Defender privilege escalation attempts
DeviceProcessEvents
| where FileName =~ "MsMpEng.exe"
| where InitiatingProcessFileName !in~ ("services.exe", "wininit.exe", "svchost.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc// Look for SYSTEM token impersonation following Defender process interaction
DeviceEvents
| where ActionType == "TokenPrivilegesAdjusted"
| where InitiatingProcessParentFileName =~ "MsMpEng.exe"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLineFor Organizations Without Patch Control
If you cannot immediately deploy the April cumulative update (e.g., due to change control windows), consider:
- Isolate high-value targets — apply emergency patches to domain controllers, identity infrastructure, and backup systems first
- Increase EDR alerting sensitivity — temporarily lower detection thresholds for privilege escalation behaviors
- Enable Attack Surface Reduction rules — several ASR rules limit the techniques used in post-exploitation activity
The Broader Problem: Defender as an Attack Surface
These three disclosures highlight a growing trend: endpoint protection software itself has become a high-value target. Security vendors have increasingly become attractive targets precisely because their software operates at the highest privilege levels, often with kernel access.
In 2025, similar zero-day chains were disclosed against CrowdStrike Falcon and SentinelOne agents. The pattern suggests that sophisticated threat actors are actively researching endpoint protection software for exploitable flaws rather than treating it as a defensive barrier.
Microsoft has not announced any changes to its Defender security testing or bug disclosure processes in response to the BlueHammer leak incident, which many in the security community cited as a case study in responsible disclosure failures.
What to Watch
Huntress has indicated it will publish a full technical report once patches are available for all three vulnerabilities. Until then, organizations should treat any anomalous Defender process activity as a potential indicator of compromise.
Microsoft's Security Response Center (MSRC) acknowledged the RedSun and unnamed vulnerabilities but has not confirmed a timeline for out-of-band patches.
Sources: The Hacker News, Huntress Security Research, Microsoft MSRC