redsun - TrustStrike Labs

vulnerability

CVE-2026-33825

2026-04-25

Two Windows Defender zero-days that disable the antivirus are still unpatched two weeks after researcher leaked them - attackers now chaining them with custom malware

Update on the Windows Defender zero-day situation: Huntress now confirms attackers are chaining the three flaws leaked April 3 by a researcher called 'Chaotic Eclipse' to deploy a custom tunneling agent named 'BeigeBurrow' on victim systems. Microsoft patched one of the three (BlueHammer, CVE-2026-33825) on April 14, but the other two are still unpatched two weeks later: RedSun lets attackers gain SYSTEM privileges even on patched machines, and UnDefend stops Defender from receiving signature updates - effectively turning off the antivirus. CISA gave federal agencies until May 6 to deploy the BlueHammer patch.

windows-defender bluehammer redsun undefend beigeburrow unpatched huntress chaotic-eclipse status-update

Check: Verify every Windows endpoint has the April 14 patch installed, and treat any host where Defender hasn't received signature updates in over 48 hours as suspicious.
Affected: Windows 10, Windows 11, and Windows Server 2019 and later with Defender enabled. The April 14 patch closes only BlueHammer (CVE-2026-33825); RedSun (privilege escalation, no patch) and UnDefend (Defender update blocker, no patch) still affect every Windows endpoint regardless of patch status. Hands-on-keyboard exploitation is now confirmed in the wild.
Fix: Deploy the April 14 patch to every Windows endpoint and verify with MDM rather than trusting WSUS compliance numbers. Alert when a host's Defender signatures fall more than 48 hours out of date - that's the UnDefend tell. Watch for the enumeration commands Huntress documented on workstations: 'whoami /priv', 'cmdkey /list', 'net group' are unusual outside admin tooling. Block known BeigeBurrow command-and-control IPs.

vulnerability

CVE-2026-33825

2026-04-23

CISA adds actively-exploited Microsoft Defender 'BlueHammer' flaw to KEV as two sibling zero-days (RedSun, UnDefend) remain unpatched (CVE-2026-33825)

CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog on April 23 with a May 7 federal patch deadline. The flaw, nicknamed BlueHammer, is a race condition in Windows Defender's file-remediation logic that lets an unprivileged local attacker overwrite arbitrary files on disk and escalate to SYSTEM on fully-patched Windows 10 and Windows 11 hosts. It was patched in Microsoft's April 8 Patch Tuesday but a working proof-of-concept had already been published to GitHub by a researcher called 'Chaotic Eclipse' on April 7, before the fix shipped. Huntress Labs saw in-the-wild exploitation from April 10, with attackers also picking up two sibling Defender zero-days the same researcher leaked: RedSun (another local privilege escalation) and UnDefend (a denial-of-service that blocks Defender from pulling security definition updates, effectively disarming the EDR). Those two still have no Microsoft patch. The combination - a working privilege-escalation path plus an unpatched technique to silently cripple Defender itself - makes this a priority hunt, not just a priority patch.

microsoft windows-defender bluehammer redsun undefend privilege-escalation cisa-kev actively-exploited chaotic-eclipse

Check: Verify that every Windows 10 and Windows 11 endpoint in your fleet has the April 2026 Patch Tuesday update installed and then hunt for the BlueHammer/RedSun/UnDefend technique patterns in your EDR telemetry.
Affected: Windows 10 and Windows 11 endpoints that have not installed the April 8, 2026 Patch Tuesday cumulative update. Note that patching closes BlueHammer (CVE-2026-33825) only - RedSun and UnDefend remain unpatched at time of writing, so patched hosts are still exposed to local privilege escalation via RedSun and to Defender disablement via UnDefend.
Fix: Deploy the April 2026 Patch Tuesday update (which addresses CVE-2026-33825) to every Windows endpoint and verify coverage against MDM or configuration-management inventory rather than trusting WSUS compliance alone. For the two unpatched sibling flaws, tighten EDR rules to alert on: anomalous file writes to Defender-controlled paths, unexpected changes to Defender signature update behavior, and any process attempting to stop or starve MsMpEng.exe. Treat any host where Defender has not received a signature update in over 48 hours as suspicious until proven otherwise. Review Huntress's public IoCs for the three techniques.

vulnerability

2026-04-16

Second Microsoft Defender zero-day PoC released - 'RedSun' grants SYSTEM privileges on fully-patched Windows including this week's April patches

Just days after Microsoft patched BlueHammer (CVE-2026-33825) in Tuesday's Patch Tuesday, the same researcher 'Chaotic Eclipse' (aka Nightmare-Eclipse) has released a second Microsoft Defender local privilege escalation zero-day called RedSun. The exploit works on fully-patched Windows 10, Windows 11, and Windows Server systems with Windows Defender enabled, even after installing this week's April updates. The flaw abuses Defender's cloud file rollback behavior: when Defender detects a file with a 'cloud tag' it tries to restore it to its original location without validating the target path. The exploit uses NTFS junctions and opportunistic locks to redirect the write to C:\Windows\System32, overwriting system files like TieringEngineService.exe to gain SYSTEM privileges. Huntress Labs is reporting all three recently-leaked Windows Defender zero-days (BlueHammer, RedSun, and UnDefend) are now being exploited in the wild. The researcher has threatened to drop more severe RCE exploits in protest of how Microsoft handled their disclosure process. No patch available for RedSun yet. Working PoC code is public on GitHub.

microsoft-defender zero-day windows privilege-escalation chaotic-eclipse redsun actively-exploited unpatched

Check: Assume unprivileged-to-SYSTEM escalation is available to any attacker on your Windows endpoints until Microsoft patches RedSun. Defense-in-depth measures matter more than usual.
Affected: Windows 10, Windows 11, and Windows Server 2019 and later systems with Windows Defender enabled. The exploit works on fully-patched systems including the April 2026 Patch Tuesday updates. Any attacker with local unprivileged access (via phishing, drive-by download, or stolen credentials) can escalate to SYSTEM.
Fix: No patch available yet. Immediate mitigations: (1) Block execution of untrusted binaries from user-writable directories via AppLocker or Windows Defender Application Control - this prevents the initial foothold required for RedSun. (2) Monitor EDR for unexpected file writes to System32 and NTFS junction creation. (3) Apply the April Patch Tuesday updates anyway to close BlueHammer (CVE-2026-33825) and other critical flaws - RedSun is a separate issue. (4) Watch for Microsoft's out-of-band update or May Patch Tuesday fix.