A new notice from the Huntress cybersecurity firm has turned on the alarms: attackers are taking advantage of three newly reported failures in Microsoft Defender to scale privileges in committed teams. The vulnerabilities, known by the alias BlueHammer, RedSun and UnDefense, were published as zero- days by a researcher who signs as Chaotic Eclipse (also referred to as Nightmare-Eclipse), in protest of how Microsoft, in its view, managed the outreach process.
Of the three failures, BlueHammer and RedSun allow to raise privileges from the system itself, which in practice makes it easier for an intruder with initial access to gain deeper control over the equipment. Instead, UnDefense is designed to cause a service denial condition that can block the definitions updates, a vector that leaves endpoints with no current defenses against malware. Microsoft has addressed BlueHammer in this week's Patch Tuesday updates and vulnerability figures as CVE-2026-33825 but at the time of writing this text RedSun and UnDefend remain without a formal patch.
Huntress published in networks and in his analyses that he has observed active exploitation of the three vulnerabilities. According to the company, BlueHammer has already been used in attacks since April 10, 2026, and on April 16, there was public concept evidence showing the use of RedSun and UnDefense. The operators, the researchers explain, not only executed automated exploits: they carried out typical hands-on-keyboard tasks, that is, manual and directed activity after initial access. Among the commands detected are privilege and credentials consultations such as whoami / priv, cmdkey / list and net group, clear signs that the attacker explores and prepares the ground for subsequent movements.
What makes this episode more worrying is the combination of several factors: public disclosure by the researcher, the existence of exploits and concept tests in circulation, and confirmation of real use by malicious actors. This has forced Huntress to take containment measures in the affected organization to prevent the attackers from deepening their access or moving laterally within the network.
While Microsoft has already corrected BlueHammer in its monthly patch, it is important that security teams do not consider the closed risk until all the failures are mitigated. Microsoft publishes its updates and guides through the Security Response Center ( Microsoft Security Update Guide) and the relevant bulletins should be verified there. The NIST vulnerability database at the entry is available for public reference of the identifier associated with BlueHammer. CVE-2026-33825.
In situations like this, beyond applying patches when available, practical recommendations include strengthening endpoints monitoring and unusual activity detection mechanisms, applying the principle of lower privilege in accounts and services, and reviewing security records to identify commands and indicator patterns of exploration or exfiltration. Microsoft's documentation on protection and management of Microsoft Defender provides additional guidance on configuration and good practices ( official documentation of Defender).
Recent events highlight a problematic trend: the tension between researchers who publish zero-day explosion and the temporary window left by organizations to park and mitigate. Media coverage and response teams often contact suppliers; in this case, The Hacker News He reported on the situation and said he had sought comments from Microsoft. Until the update of this note, official response is expected to clarify the state of mitigation for RedSun and UnDefend.
For managers and security officials the key now is to act quickly and prudently: to install the available corrections, to tighten telemetry to detect suspicious commands and, if they detect compromise, to segment and isolate affected systems to limit impact. The incidents like this remember that the security solutions are as strong as the speed with which the patches are applied and the quality of the human monitoring that accompanies them.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...