Overview
Security firm Huntress is sounding the alarm over three actively exploited zero-day vulnerabilities in Microsoft Defender, Microsoft's built-in endpoint protection platform. The flaws — internally codenamed BlueHammer, RedSun, and a third undisclosed vulnerability — allow attackers with standard user access to escalate privileges on compromised Windows systems.
As of April 17, 2026, two of the three vulnerabilities remain unpatched, leaving a significant window of exposure across Windows environments globally.
The Three Vulnerabilities
BlueHammer
The BlueHammer vulnerability leverages a flaw in Microsoft Defender's real-time protection engine to execute arbitrary code with SYSTEM privileges. Huntress has noted that BlueHammer requires a GitHub account to view full technical details, suggesting coordinated responsible disclosure is still in progress. The vulnerability was previously disclosed in leaked exploit code that surfaced in early April 2026.
RedSun
RedSun targets the Microsoft Defender antimalware service executable (MsMpEng.exe). Exploiting a race condition in the service's file quarantine logic, attackers can hijack the quarantine process to overwrite arbitrary files with attacker-controlled content, enabling privilege escalation to SYSTEM. Huntress confirmed active exploitation of RedSun in the wild.
Third Unidentified Flaw
A third vulnerability has been reported by Huntress but details remain limited pending further disclosure coordination with Microsoft. Active exploitation has been observed alongside BlueHammer and RedSun in multi-stage attack chains.
Active Exploitation
Huntress researchers have observed threat actors chaining these Defender zero-days as post-exploitation tools following initial access via phishing or vulnerability exploitation. The privilege escalation achieved enables attackers to:
- Disable endpoint detection and response (EDR) tools
- Establish persistent SYSTEM-level backdoors
- Laterally move across enterprise networks with elevated credentials
The attacks have been observed targeting enterprise environments across North America and Europe, with particular focus on organizations running unmanaged Windows 11 endpoints.
Microsoft Response
Microsoft has acknowledged the reports but has only issued a patch for one of the three vulnerabilities as of this writing. The company has indicated that patches for BlueHammer and the third unidentified flaw are in development, with no specific timeline provided.
A Microsoft spokesperson stated: "We are aware of the reports and are working to address the remaining issues as quickly as possible. We encourage customers to apply available updates immediately."
Recommendations
Given that two vulnerabilities remain unpatched, organizations should take the following interim mitigations:
- Apply available patches immediately — Install all pending Windows and Defender updates via Windows Update.
- Enable attack surface reduction (ASR) rules — Configure ASR rules in Microsoft Defender to limit attacker post-exploitation options.
- Monitor for privilege escalation — Review SIEM alerts for unexpected SYSTEM-level process creation from user sessions.
- Restrict local administrator accounts — Apply the principle of least privilege and remove unnecessary local admin rights.
- Deploy additional EDR coverage — Consider supplementary endpoint detection for environments where Defender is the sole protection layer.
References
- The Hacker News: Three Microsoft Defender Zero-Days Actively Exploited
- Huntress Threat Intelligence
- Microsoft Security Response Center