A security researcher has recently unveiled two more zero-day vulnerabilities affecting Microsoft Defender, adding to a previously disclosed flaw. The researcher, known as Chaotic Eclipse and Nightmare Eclipse, initially published a proof-of-concept (PoC) exploit for a privilege escalation vulnerability in early April 2026. The latest disclosures involve two new vulnerabilities: one named 'RedSun' that also enables privilege escalation, and another called 'UnDefend' that allows a standard user to prevent Microsoft Defender from receiving signature updates or to disable it entirely during a major update.

According to findings from Huntress researchers, all three exploitation techniques have been confirmed to be utilized in the wild by at least one threat actor, raising urgent concerns about the security of Microsoft Defender.

The Newly Disclosed Exploits

Chaotic Eclipse, the researcher behind these disclosures, released the BlueHammer PoC on April 3, following a failed attempt to disclose the vulnerability through the Microsoft Security Response Center. On April 14, Microsoft responded by issuing security updates that addressed the previously disclosed vulnerability, identified as CVE-2026-33825. Notably, the researchers credited with reporting the initial flaw, Zen Dodd and Yuanpei Xu, are distinct from Nightmare Eclipse.

On April 16, the anonymous researcher published the 'RedSun' and 'UnDefend' PoCs to the same GitHub repository, which remains accessible despite Microsoft’s warnings about the potential risks associated with the vulnerabilities. The effectiveness of the 'RedSun' PoC has been validated by vulnerability analyst Will Dormann, indicating that the exploit is indeed functional.

Exploitation Observed in the Wild

Huntress researchers have reported that the BlueHammer exploit was detected being blocked by Windows Defender on April 10. Subsequently, they also observed the use of the 'RedSun' and 'UnDefend' PoCs on April 16. The attacker employed these exploits by dropping malicious files into the user’s Pictures and Downloads folders, renaming them to avoid drawing attention. Prior to executing the exploits, the attacker ran commands to map out user privileges, access stored credentials, and gather information about the Active Directory structure.

In response to these developments, Huntress has taken measures to isolate the affected organization to mitigate further post-exploitation risks. The situation now rests with Microsoft, which faces pressure to respond promptly; with the next scheduled Patch Tuesday several weeks away, the likelihood of an out-of-band emergency patch appears to be the most viable solution.

Cybersecurity experts are urging users to remain vigilant and ensure their systems are updated with the latest security patches to protect against these vulnerabilities. As the threat landscape continues to evolve, organizations must prioritize cybersecurity measures to safeguard their systems from potential exploitation.

Stay informed about the latest breaches, vulnerabilities, and cybersecurity threats by subscribing to our breaking news email alerts.

Source: Help Net Security News