Huntress is warning that menace actors are exploiting three not too long ago disclosed safety flaws in Microsoft Defender to achieve elevated privileges in compromised techniques.
The exercise includes the exploitation of three vulnerabilities which can be codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which have been launched as zero-days by a researcher often called Chaotic Eclipse (aka Nightmare-Eclipse) in response to Microsoft’s dealing with of the vulnerability disclosure course of.
Whereas each BlueHammer and RedSun are native privilege escalation (LPE) flaws impacting Microsoft Defender, UnDefend can be utilized to set off a denial-of-service (DoS) situation and successfully block definition updates.
Microsoft moved to deal with BlueHammer as a part of its Patch Tuesday updates launched earlier this week. The vulnerability is being tracked underneath the CVE identifier CVE-2026-33825. Nonetheless, the opposite flaws should not have a repair as of writing.
In a collection of posts shared on X, Huntress stated it noticed all three flaws being exploited within the wild, with BlueHammer being weaponized since April 10, 2026, adopted by way of RedSun and UnDefend proof-of-concept (PoC) exploits on April 16.
“These invocations adopted after typical enumeration instructions: whoami /priv, cmdkey /listing, web group, and others that point out hands-on-keyboard menace actor exercise,” it added.
The cybersecurity vendor stated it has taken steps to isolate the affected group to forestall additional post-exploitation. The Hacker Information has reached out to Microsoft for remark, and we’ll replace the story if we hear again.
