CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft Defender zero-day exploits RedSun, BlueHammer, and UnDefend actively abused in the wild

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Microsoft Defender is being actively abused in the wild using three proof-of-concept exploits—RedSun, BlueHammer (CVE-2026-33825), and UnDefend—released by researcher "Nightmare-Eclipse" after alleged poor responses from Microsoft Security Response Center (MSRC). RedSun and BlueHammer enable SYSTEM-level privilege escalation on fully patched Windows 10, 11, and Server 2019+ systems with Defender enabled, while UnDefend degrades Defender’s threat detection capabilities without triggering alerts. Attackers are staging binaries in low-noise directories and manually enumerating privileges before exploitation, reflecting targeted hands-on intrusions. Microsoft patched BlueHammer in April updates but has not addressed RedSun or UnDefend, which operate via separate flaws in Defender’s privileged file handling workflows.

Timeline

  1. 16.04.2026 23:19 2 articles · 5d ago

    RedSun Microsoft Defender zero-day PoC enables SYSTEM privilege escalation on fully patched Windows

    Proof-of-concept exploit for a Microsoft Defender local privilege escalation zero-day named RedSun has been published and is now being actively exploited in targeted intrusions alongside two additional exploits, BlueHammer and UnDefend. The attack leverages Defender’s cloud file tagging logic to trigger file rewrites, then exploits a volume shadow copy race condition and directory junction to redirect the rewrite to C:\Windows\system32\TieringEngineService.exe. Execution via the Cloud Files Infrastructure grants SYSTEM privileges on Windows 10, 11, and Server 2019+ systems with Defender enabled, even after the latest April Patch Tuesday updates. RedSun is now observed in hands-on intrusions where attackers manually enumerate privileges and stage binaries in low-noise directories such as Downloads and Pictures to evade detection. UnDefend, a separate exploit released by the same researcher, disrupts Defender’s update mechanism to degrade threat detection without triggering alerts, further expanding the attack surface exposed by these flaws.

    Show sources
    Open in new tab

Information Snippets

  • The RedSun exploit targets a local privilege escalation flaw in Microsoft Defender on Windows 10, Windows 11, and Windows Server 2019 or later, even when fully patched via April Patch Tuesday updates.

    First reported: 16.04.2026 23:19
    2 sources, 2 articles
    Show sources

  • The exploit abuses Defender’s cloud file tagging and file rewrite behavior via the Cloud Files API, using EICAR test file placement, opportunistic lock (oplock) timing, and directory junctions to redirect file overwrites to C:\Windows\system32\TieringEngineService.exe.

    First reported: 16.04.2026 23:19
    2 sources, 2 articles
    Show sources

  • Once the attacker-controlled executable is written to a protected system path via this mechanism, the Cloud Files Infrastructure executes it as SYSTEM, achieving full privilege escalation.

    First reported: 16.04.2026 23:19
    2 sources, 2 articles
    Show sources

  • The exploit PoC was publicly released by researcher "Chaotic Eclipse", who also disclosed the related BlueHammer (CVE-2026-33825) LPE zero-day last week.

    First reported: 16.04.2026 23:19
    2 sources, 2 articles
    Show sources

  • Will Dormann, principal vulnerability analyst at Tharros, independently confirmed the RedSun exploit achieves SYSTEM privileges on fully patched systems and provided technical details of the attack chain.

    First reported: 16.04.2026 23:19
    2 sources, 2 articles
    Show sources

  • VirusTotal initially flagged the PoC due to embedded EICAR strings, but detections were reduced after the researcher encrypted the EICAR payload within the executable.

    First reported: 16.04.2026 23:19
    1 source, 1 article
    Show sources

  • The researcher cited poor experiences with Microsoft Security Response Center (MSRC) handling of vulnerability disclosures as motivation for publishing the PoCs, alleging retaliatory behavior and lack of support.

    First reported: 16.04.2026 23:19
    2 sources, 2 articles
    Show sources

  • Researcher "Nightmare-Eclipse" released three publicly available proof-of-concept exploits targeting Microsoft Defender, including BlueHammer (CVE-2026-33825), RedSun, and a new exploit named UnDefend

    First reported: 21.04.2026 22:12
    1 source, 1 article
    Show sources

  • UnDefend disrupts Defender's update mechanism to degrade its threat detection capabilities without triggering hard failures

    First reported: 21.04.2026 22:12
    1 source, 1 article
    Show sources

  • BlueHammer operates as a zero-day against CVE-2026-33825 via a time-of-check to time-of-use (TOCTOU) vulnerability in Defender's signature update workflow

    First reported: 21.04.2026 22:12
    1 source, 1 article
    Show sources

  • UnDefend requires SYSTEM access and can be executed as a child of cmd.exe under Explorer with an -aggressive flag to starve Defender of threat intelligence

    First reported: 21.04.2026 22:12
    1 source, 1 article
    Show sources

  • Observed in-the-wild activity shows attackers manually executing privilege enumeration commands before using the exploits in targeted intrusions

    First reported: 21.04.2026 22:12
    1 source, 1 article
    Show sources

  • Attackers stage binaries in low-noise directories (e.g., Pictures, Downloads) using original or lightly obfuscated filenames to evade detection

    First reported: 21.04.2026 22:12
    1 source, 1 article
    Show sources

  • RedSun triggers Defender's remediation cycle using embedded EICAR strings, redirecting file rewrites to attacker-controlled binaries executed by the Cloud Files Infrastructure as SYSTEM

    First reported: 21.04.2026 22:12
    1 source, 1 article
    Show sources

  • Microsoft confirmed RedSun and UnDefend are separate issues from BlueHammer and issued a patch for CVE-2026-33825 in April updates, but the patch does not mitigate RedSun or UnDefend

    First reported: 21.04.2026 22:12
    1 source, 1 article
    Show sources

  • Huntress Labs reported observing hands-on intrusions leveraging all three exploits, with attackers achieving SYSTEM access via RedSun or BlueHammer before deploying UnDefend

    First reported: 21.04.2026 22:12
    1 source, 1 article
    Show sources

  • Picter Security and Vectra researchers noted that moderately skilled adversaries are leveraging public exploit code with low complexity but effective tradecraft to escalate privileges or weaken defenses

    First reported: 21.04.2026 22:12
    1 source, 1 article
    Show sources

Similar Happenings

BlueHammer Windows local privilege escalation zero-day exploit leaked

Exploit code for an unpatched Windows privilege escalation vulnerability, tracked as BlueHammer, has been publicly released by a disgruntled security researcher. The flaw enables local attackers to escalate privileges to SYSTEM or elevated administrator levels, allowing full system compromise. Microsoft has not issued a patch, classifying the issue as a zero-day. The exploit combines a TOCTOU (time-of-check to time-of-use) and path confusion, granting access to the Security Account Manager (SAM) database to extract local account password hashes. The leak follows frustration with Microsoft’s Security Response Center (MSRC) over disclosure handling, with the researcher citing insufficient response as the trigger for public disclosure. The PoC code contains reliability issues, particularly on Windows Server platforms.

Open in new tab

Microsoft March and April 2026 Patch Tuesdays Address Multiple Zero-Days and Critical Flaws

Microsoft’s multi-month Patch Tuesday campaign continues with the April 2026 release addressing 167 security vulnerabilities in Windows and related software, including two actively exploited zero-days (CVE-2026-32201 in SharePoint Server and CVE-2026-33825 in Microsoft Defender). Nearly 60% of the patched flaws are elevation-of-privilege bugs, marking the highest proportion in eight months, while eight Critical vulnerabilities were addressed, including unauthenticated remote code execution flaws in Windows IKE Service Extensions (CVE-2026-33824, CVSS 9.8) and secure tunneling components (CVE-2026-33827, CVSS 8.1). Following the April updates, threat actors are now exploiting two additional unpatched Microsoft Defender zero-days—RedSun and UnDefend—alongside the patched CVE-2026-33825 (BlueHammer). Exploitation activity has been observed since April 10, 2026, with RedSun and UnDefend PoCs deployed on April 16, 2026, featuring hands-on-keyboard techniques such as whoami /priv, cmdkey /list, and net group commands. Huntress confirmed real-world exploitation and took steps to isolate compromised systems to prevent post-exploitation damage. Threat actors have also been observed chaining these flaws with other vulnerabilities to achieve full endpoint control. Microsoft issued out-of-band emergency patches for CVE-2026-40372, a critical ASP.NET Core privilege escalation vulnerability in the ASP.NET Core Data Protection cryptographic APIs. The flaw enables unauthenticated attackers to gain SYSTEM privileges by forging authentication cookies, stemming from a regression in Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 packages. Microsoft recommends updating to version 10.0.7 and rotating the DataProtection key ring to fully remediate. The April updates were distributed through Windows 11 cumulative updates KB5083769 (for versions 25H2/24H2) and KB5082052 (for 23H2), changing build numbers to 26200.8246 (25H2), 26100.8246 (24H2), and 22631.6936 (23H2). Windows 10 Enterprise LTSC and ESU participants received the April fixes via KB5082200, updating to build 19045.7184 (Windows 10) or 19044.7184 (Windows 10 Enterprise LTSC 2021).

Open in new tab

Active Exploitation of Multiple Critical Vulnerabilities in Gladinet and TrioFox

Active exploitation of critical vulnerabilities in Gladinet's CentreStack and Triofox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog on November 5, 2025, citing evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks. Additionally, a new critical vulnerability, CVE-2025-12480 (CVSS score: 9.8), has been discovered in Gladinet's Triofox file-sharing and remote access platform. This flaw allows attackers to bypass authentication and access configuration pages, resulting in the upload and execution of arbitrary payloads. The threat cluster tracked as UNC6485 has been exploiting this flaw since August 24, 2025. The attackers have used the built-in antivirus feature to execute malicious files and set up encrypted tunnels to command-and-control servers, leveraging remote access tools like Zoho Assist and AnyDesk for further exploitation. The vulnerability CVE-2025-12480 was discovered and reported by Mandiant on November 10. The flaw allows an attacker to gain access to initial setup pages even after setup is complete, enabling the upload and execution of arbitrary payloads. The exploitation campaign started on August 14, 2025. The attackers exploited an HTTP Host header vulnerability by spoofing localhost in requests, bypassing access controls to reach the normally restricted AdminDatabase.aspx setup page. The flaw stemmed from missing origin validation and over-reliance on the host header, allowing unauthenticated remote access to critical configuration pages. The attackers logged in using the newly created Admin account and uploaded malicious files to execute them using the built-in anti-virus feature. A new actively exploited vulnerability in Gladinet's CentreStack and Triofox products has been disclosed, stemming from the use of hard-coded cryptographic keys. This flaw affects nine organizations so far. The use of hard-coded cryptographic keys could allow threat actors to decrypt or forge access tickets, enabling them to access sensitive files like web.config that can be exploited to achieve ViewState deserialization and remote code execution. The attacks involve specially crafted URL requests to the "/storage/filesvr.dn" endpoint, with the Username and Password fields left blank, causing the application to fall back to the IIS Application Pool Identity. The timestamp field in the access ticket is set to 9999, creating a ticket that never expires, allowing threat actors to reuse the URL indefinitely to download the server configuration. Organizations using CentreStack and Triofox are advised to update to the latest version, 16.12.10420.56791, released on December 8, 2025, and scan logs for the presence of the string "vghpI7EToZUDIZDdprSubL3mTZ2," which is the encrypted representation of the web.config file path. In the event of indicators of compromise (IoCs), it is imperative to rotate the machine key by generating new keys in the IIS Manager and restarting IIS after repeating the same step for all worker nodes.

Open in new tab

Critical Out-of-Bounds Write Vulnerabilities in WatchGuard Firebox Firewalls Exploited in the Wild

Over 115,000 WatchGuard Firebox network security appliances remain exposed to critical remote code execution flaws, including CVE-2025-9242 and the newly disclosed CVE-2025-14733. These vulnerabilities allow remote attackers to execute code without authentication. WatchGuard has released patches and provided temporary workarounds for administrators who cannot immediately update their devices. The vulnerabilities are actively being exploited in the wild, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-9242 to its Known Exploited Vulnerabilities (KEV) catalog on November 13, 2025, based on evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are advised to apply WatchGuard's patches by December 3, 2025. The Shadowserver Foundation detected over 71,000 vulnerable devices as of October 17, 2025. As of November 12, 2025, over 54,300 Firebox instances remain vulnerable, with the U.S. having the highest number of vulnerable devices at 18,500. On December 22, 2025, Shadowserver found over 124,658 unpatched Firebox instances exposed online, with 117,490 still exposed the following day. CISA added CVE-2025-14733 to its KEV Catalog and ordered FCEB agencies to patch Firebox firewalls within a week, by December 26th.

Open in new tab

Erlang/OTP SSH RCE Exploits Targeting OT Firewalls

A surge in exploitation of CVE-2025-32433, a critical security flaw in Erlang/OTP SSH, has been observed since May 2025. Approximately 70% of these exploits target operational technology (OT) firewalls. This vulnerability, patched in April 2025, allows attackers to execute arbitrary code on vulnerable systems without authentication. The attacks have primarily affected healthcare, agriculture, media, entertainment, and high technology sectors in the U.S., Canada, Brazil, India, Australia, Japan, the Netherlands, Ireland, and France. The exploitation involves using reverse shells to gain unauthorized remote access to target networks. The specific threat actors behind these efforts remain unidentified. The flaw is due to improper state enforcement in the Erlang/OTP SSH daemon, allowing unauthenticated clients to execute commands by sending SSH connection protocol messages to open SSH ports. The flaw has been exploited to create TCP connections and bind them to a shell, allowing interactive command execution over the network. The flaw could have severe consequences on an organization, their network, and operations, including the compromise of sensitive information and disruption of operations.

Open in new tab