• Home
  • cyber
  • Microsoft: Attackers Exploit Windows Zero-Days to Bypass Microsoft Defender
cyber Vulnerability

Microsoft: Attackers Exploit Windows Zero-Days to Bypass Microsoft Defender

Apr 20, 2026 2 min read
Microsoft: Attackers Exploit Windows Zero-Days to Bypass Microsoft Defender

Zero-Day Windows Flaws Exploited in Targeted Attacks Following Leak

Security researchers at Huntress Labs have confirmed that three recently leaked Windows zero-day vulnerabilities BlueHammer, RedSun, and UnDefend are being actively exploited in real-world attacks. The flaws were publicly disclosed after a researcher released proof-of-concept exploit code, prompting threat actors to weaponize them before patches were fully available.

The vulnerabilities target Microsoft Defender and can be chained to bypass security controls. BlueHammer and RedSun are local privilege-escalation flaws allowing attackers with limited access to gain system-level control, while UnDefend enables the disabling of Defender’s security updates. When combined, these exploits allow attackers to neutralize defenses, escalate privileges, and maintain persistence on compromised systems.

Huntress observed manual, "hands-on-keyboard" attacks leveraging this exploit chain, indicating targeted intrusions rather than automated campaigns. While Microsoft released a patch for BlueHammer in its April 2026 Patch Tuesday update, RedSun and UnDefend remain unpatched, leaving millions of Windows systems exposed.

Organizations are advised to apply available patches immediately, restrict local admin privileges, and monitor for suspicious activity such as attempts to disable Defender or unusual privilege escalation. The ongoing exploitation underscores the risks of unpatched zero-days in critical security components.

Source: https://petri.com/windows-zero-day-attacks-bypass-microsoft-defender/

Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security

"id": "MIC1776963128",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Millions of Windows users',
                        'industry': 'Software',
                        'name': 'Microsoft',
                        'type': 'Technology Company'}],
 'attack_vector': 'Local Privilege Escalation, Security Control Bypass',
 'description': 'Security researchers at Huntress Labs have confirmed that '
                'three recently leaked Windows zero-day vulnerabilities '
                '(BlueHammer, RedSun, and UnDefend) are being actively '
                'exploited in real-world attacks. The flaws were publicly '
                'disclosed after a researcher released proof-of-concept '
                'exploit code, prompting threat actors to weaponize them '
                'before patches were fully available. The vulnerabilities '
                'target Microsoft Defender and can be chained to bypass '
                'security controls. BlueHammer and RedSun are local '
                'privilege-escalation flaws allowing attackers with limited '
                'access to gain system-level control, while UnDefend enables '
                'the disabling of Defender’s security updates. When combined, '
                'these exploits allow attackers to neutralize defenses, '
                'escalate privileges, and maintain persistence on compromised '
                "systems. Huntress observed manual, 'hands-on-keyboard' "
                'attacks leveraging this exploit chain, indicating targeted '
                'intrusions rather than automated campaigns. While Microsoft '
                'released a patch for BlueHammer in its April 2026 Patch '
                'Tuesday update, RedSun and UnDefend remain unpatched, leaving '
                'millions of Windows systems exposed.',
 'impact': {'operational_impact': 'Neutralized defenses, privilege escalation, '
                                  'persistence on compromised systems',
            'systems_affected': 'Windows systems with Microsoft Defender'},
 'post_incident_analysis': {'corrective_actions': 'Patch management, privilege '
                                                  'restriction, enhanced '
                                                  'monitoring',
                            'root_causes': 'Leaked zero-day vulnerabilities '
                                           '(BlueHammer, RedSun, UnDefend) '
                                           'exploited before patches were '
                                           'available'},
 'recommendations': 'Apply available patches immediately, restrict local admin '
                    'privileges, and monitor for suspicious activity such as '
                    'attempts to disable Defender or unusual privilege '
                    'escalation.',
 'references': [{'source': 'Huntress Labs'}],
 'response': {'enhanced_monitoring': 'Monitor for suspicious activity such as '
                                     'attempts to disable Defender or unusual '
                                     'privilege escalation',
              'remediation_measures': 'Apply available patches, restrict local '
                                      'admin privileges, monitor for '
                                      'suspicious activity',
              'third_party_assistance': 'Huntress Labs'},
 'title': 'Zero-Day Windows Flaws Exploited in Targeted Attacks Following Leak',
 'type': 'Zero-Day Exploitation',
 'vulnerability_exploited': ['BlueHammer', 'RedSun', 'UnDefend']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.