
π―There are three serious security holes in Microsoft Defender that bad guys are using to break into computers. One of them has been fixed, but the other two are still open, which means people need to be extra careful until they get patched.
The Flaw
The recent vulnerabilities affecting Microsoft Defender are codenamed BlueHammer, RedSun, and UnDefend. The first, BlueHammer, is a privilege escalation flaw that has already been patched by Microsoft under CVE-2026-33825. However, the other two vulnerabilities, RedSun and UnDefend, remain unpatched and are actively being exploited by threat actors.
What's at Risk
BlueHammer allows attackers to gain elevated privileges on compromised systems, while RedSun similarly enables local privilege escalation. UnDefend poses a unique risk as it can block Microsoft Defender from receiving crucial signature updates, effectively disabling the antivirus software and creating a denial-of-service (DoS) condition.
Patch Status
Microsoft has addressed the BlueHammer vulnerability in its latest Patch Tuesday updates, but as of now, RedSun and UnDefend have not received fixes. The urgency for a patch for these two vulnerabilities is critical, given their potential for exploitation.
Immediate Actions
Organizations are urged to monitor their systems closely for any signs of exploitation, particularly since Huntress has reported active use of these exploits. Users should ensure their Microsoft Defender is up to date with the latest patches and consider implementing additional security measures to mitigate risks until fixes are released. Furthermore, it is advisable to conduct thorough audits of user privileges and system configurations to minimize the potential impact of these vulnerabilities.
Threat Actor Activity
Huntress researchers have observed that attackers are employing enumeration commands such as whoami /priv, cmdkey /list, and net group to gather information about user privileges before launching the exploits. This indicates a hands-on-keyboard approach by threat actors, emphasizing the need for vigilance in monitoring user activity and system integrity.
The ongoing exploitation of these zero-days highlights the critical need for timely vulnerability disclosures and patches. Organizations should not only rely on Microsoft Defender but also implement layered security strategies to protect against potential breaches.





