RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: undefend (2 articles)Clear
vulnerability
CVE-2026-33825
2026-04-25

Two Windows Defender zero-days that disable the antivirus are still unpatched two weeks after researcher leaked them - attackers now chaining them with custom malware

Update on the Windows Defender zero-day situation: Huntress now confirms attackers are chaining the three flaws leaked April 3 by a researcher called 'Chaotic Eclipse' to deploy a custom tunneling agent named 'BeigeBurrow' on victim systems. Microsoft patched one of the three (BlueHammer, CVE-2026-33825) on April 14, but the other two are still unpatched two weeks later: RedSun lets attackers gain SYSTEM privileges even on patched machines, and UnDefend stops Defender from receiving signature updates - effectively turning off the antivirus. CISA gave federal agencies until May 6 to deploy the BlueHammer patch.

windows-defenderbluehammerredsunundefendbeigeburrowunpatchedhuntresschaotic-eclipsestatus-update
Check
Verify every Windows endpoint has the April 14 patch installed, and treat any host where Defender hasn't received signature updates in over 48 hours as suspicious.
Affected
Windows 10, Windows 11, and Windows Server 2019 and later with Defender enabled. The April 14 patch closes only BlueHammer (CVE-2026-33825); RedSun (privilege escalation, no patch) and UnDefend (Defender update blocker, no patch) still affect every Windows endpoint regardless of patch status. Hands-on-keyboard exploitation is now confirmed in the wild.
Fix
Deploy the April 14 patch to every Windows endpoint and verify with MDM rather than trusting WSUS compliance numbers. Alert when a host's Defender signatures fall more than 48 hours out of date - that's the UnDefend tell. Watch for the enumeration commands Huntress documented on workstations: 'whoami /priv', 'cmdkey /list', 'net group' are unusual outside admin tooling. Block known BeigeBurrow command-and-control IPs.
vulnerability
CVE-2026-33825
2026-04-23

CISA adds actively-exploited Microsoft Defender 'BlueHammer' flaw to KEV as two sibling zero-days (RedSun, UnDefend) remain unpatched (CVE-2026-33825)

CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog on April 23 with a May 7 federal patch deadline. The flaw, nicknamed BlueHammer, is a race condition in Windows Defender's file-remediation logic that lets an unprivileged local attacker overwrite arbitrary files on disk and escalate to SYSTEM on fully-patched Windows 10 and Windows 11 hosts. It was patched in Microsoft's April 8 Patch Tuesday but a working proof-of-concept had already been published to GitHub by a researcher called 'Chaotic Eclipse' on April 7, before the fix shipped. Huntress Labs saw in-the-wild exploitation from April 10, with attackers also picking up two sibling Defender zero-days the same researcher leaked: RedSun (another local privilege escalation) and UnDefend (a denial-of-service that blocks Defender from pulling security definition updates, effectively disarming the EDR). Those two still have no Microsoft patch. The combination - a working privilege-escalation path plus an unpatched technique to silently cripple Defender itself - makes this a priority hunt, not just a priority patch.

microsoftwindows-defenderbluehammerredsunundefendprivilege-escalationcisa-kevactively-exploitedchaotic-eclipse
Check
Verify that every Windows 10 and Windows 11 endpoint in your fleet has the April 2026 Patch Tuesday update installed and then hunt for the BlueHammer/RedSun/UnDefend technique patterns in your EDR telemetry.
Affected
Windows 10 and Windows 11 endpoints that have not installed the April 8, 2026 Patch Tuesday cumulative update. Note that patching closes BlueHammer (CVE-2026-33825) only - RedSun and UnDefend remain unpatched at time of writing, so patched hosts are still exposed to local privilege escalation via RedSun and to Defender disablement via UnDefend.
Fix
Deploy the April 2026 Patch Tuesday update (which addresses CVE-2026-33825) to every Windows endpoint and verify coverage against MDM or configuration-management inventory rather than trusting WSUS compliance alone. For the two unpatched sibling flaws, tighten EDR rules to alert on: anomalous file writes to Defender-controlled paths, unexpected changes to Defender signature update behavior, and any process attempting to stop or starve MsMpEng.exe. Treat any host where Defender has not received a signature update in over 48 hours as suspicious until proven otherwise. Review Huntress's public IoCs for the three techniques.