Microsoft Defender Zero-Days Exploited After Public Disclosure, Attacks Confirmed
Updated
Updated · TechCrunch · Apr 17
Microsoft Defender Zero-Days Exploited After Public Disclosure, Attacks Confirmed
28 articles · Updated · TechCrunch · Apr 17
Hackers are actively exploiting three zero-day vulnerabilities in Microsoft Defender, with at least one organization confirmed breached.
The flaws, named BlueHammer, RedSun, and UnDefend, were publicly disclosed by a researcher after disputes with Microsoft; only BlueHammer is patched.
These vulnerabilities allow attackers to gain administrator access or disable Defender, highlighting risks from breakdowns in vulnerability disclosure processes.
Two critical Windows Defender flaws are unpatched. What can you do right now?
Is Microsoft's relationship with the security research community fundamentally broken?
Your PC's built-in security has critical flaws. Are you truly safe?
A lone researcher declared war on Microsoft. Who is paying the price?
How can hackers seize SYSTEM control of your PC without any admin rights?
April 2026 Microsoft Defender Zero-Days: Exploit Chain Grants Full SYSTEM Access and Disables Antivirus Updates
Overview
In early April 2026, critical zero-day vulnerabilities in Microsoft Defender—BlueHammer, RedSun, and UnDefend—began active exploitation, with the full exploit chain confirmed around April 10. Despite a patch for BlueHammer released in April, RedSun and UnDefend remain unpatched, leaving systems vulnerable. The researcher Chaotic Eclipse, after MSRC dismissed their initial report, publicly released a proof-of-concept exploit on April 2, accelerating attacks and later releasing the UnDefend tool while threatening further exploits. Organizations are urgently applying patches, enhancing behavioral monitoring, enforcing strict access controls, and diversifying endpoint security to defend against these sophisticated, rapidly weaponized threats affecting millions worldwide.