Two Windows Defender zero-days that disable the antivirus are still unpatched two weeks after researcher leaked them - attackers now chaining them with custom malware

Update on the Windows Defender zero-day situation: Huntress now confirms attackers are chaining the three flaws leaked April 3 by a researcher called 'Chaotic Eclipse' to deploy a custom tunneling agent named 'BeigeBurrow' on victim systems. Microsoft patched one of the three (BlueHammer, CVE-2026-33825) on April 14, but the other two are still unpatched two weeks later: RedSun lets attackers gain SYSTEM privileges even on patched machines, and UnDefend stops Defender from receiving signature updates - effectively turning off the antivirus. CISA gave federal agencies until May 6 to deploy the BlueHammer patch.

Check

Verify every Windows endpoint has the April 14 patch installed, and treat any host where Defender hasn't received signature updates in over 48 hours as suspicious.

Affected

Windows 10, Windows 11, and Windows Server 2019 and later with Defender enabled. The April 14 patch closes only BlueHammer (CVE-2026-33825); RedSun (privilege escalation, no patch) and UnDefend (Defender update blocker, no patch) still affect every Windows endpoint regardless of patch status. Hands-on-keyboard exploitation is now confirmed in the wild.

Fix

Deploy the April 14 patch to every Windows endpoint and verify with MDM rather than trusting WSUS compliance numbers. Alert when a host's Defender signatures fall more than 48 hours out of date - that's the UnDefend tell. Watch for the enumeration commands Huntress documented on workstations: 'whoami /priv', 'cmdkey /list', 'net group' are unusual outside admin tooling. Block known BeigeBurrow command-and-control IPs.