Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Defender Zero-Days Exploited in Active Attacks

Dark cityscape with glowing laptop, broken shields, and exposed circuits.

What do you do when the software designed to stop intruders becomes a route for them to climb higher inside a system? Security provider Huntress is warning that threat actors are exploiting three recently disclosed flaws in Microsoft Defender to obtain elevated privileges on already compromised machines — a development that forces defenders, users and policymakers to rethink assumptions about trusted protection stacks.

What happened: three Defender zero-days in active use

Huntress has reported active exploitation of three vulnerabilities in Microsoft Defender. The flaws are codenamed BlueHammer, RedSun and UnDefend. According to the reporting, the researcher known as Chaotic Eclipse released the three issues as zero-days. Exploitation of the bugs is being used to gain elevated privileges in systems that attackers have already compromised.

Key technical points from the disclosure

  • All three issues were published as zero-days by a researcher using the handle Chaotic Eclipse.
  • BlueHammer is noted as requiring a GitHub sign-in.
  • Huntress characterizes the activity as exploitation to obtain elevated privileges on compromised systems.
  • Two of the three disclosed zero-days remain unpatched.

Why this matters

The combination of active exploitation, privileged security software and at least two unpatched flaws creates a layered risk. Security products like Microsoft Defender run with high levels of trust and access so they can inspect and remediate threats; those same privileges can make them attractive targets. When attackers can leverage vulnerabilities in such software, initial footholds can be converted into broader control, and incident response becomes more complex.

Perspectives and practical implications

  • Technologists: The situation underscores the need to treat protection tools as part of the threat surface. Where possible, strict access controls, monitoring of privileged processes, and defense-in-depth can reduce the blast radius if a security component is abused.
  • Policymakers and leaders: Active exploitation of zero-days in widely deployed security software highlights tensions between rapid vulnerability disclosure and the time required to distribute fixes and mitigations. Decisions about disclosure, vendor notification and coordinated mitigation affect how quickly organizations can respond.
  • Users and administrators: Systems already compromised are at greater risk when attackers can elevate privileges through trusted components. Prioritizing detection of initial intrusions, rapid containment, and applying vendor updates when available will be critical steps.
  • Adversaries: The discovery and release of these zero-days creates opportunities for attackers to expand access on targeted networks, particularly while two of the flaws remain unpatched.

The alert from Huntress and the zero-day releases by Chaotic Eclipse are a reminder that security is a moving target: the very tools designed to protect environments can, when vulnerable, become force multipliers for attackers. Will organizations treat this episode as a call to harden the defenses around trusted components — or will defenders continue to play catch-up as attackers probe for the next privileged pathway?

Read the original report: https://thehackernews.com/2026/04/three-microsoft-defender-zero-days.html