Attackers Exploit Windows Zero-Days to Bypass Microsoft Defender

Security researchers are warning that recently leaked Windows zero‑day vulnerabilities are already being exploited in real‑world attacks. With some flaws still unpatched, millions of systems could remain exposed.

According to Huntress Labs security researchers, three previously undisclosed zero‑day Windows vulnerabilities were recently made public after a security researcher released proof‑of‑concept exploit code out of frustration with Microsoft’s disclosure process. Soon after, attackers began exploiting them in real‑world attacks.

BlueHammer, RedSun, and UnDefend: A dangerous exploit chain

Specifically, BlueHammer, RedSun, and UnDefend are three closely related Windows zero‑day vulnerabilities that target Microsoft Defender and can significantly weaken system security when abused together. BlueHammer and RedSun are local privilege‑escalation flaws that allow an attacker with limited access to elevate their privileges to system level, which gives them near‑complete control over a machine.

Additionally, UnDefend enables attackers to disrupt or block Microsoft Defender’s security updates. When chained, these flaws let attackers first neutralize built‑in protections and then gain administrative access that makes detection and removal more difficult.

Security researchers at Huntress confirmed active exploitation and observed attackers using these flaws in live intrusions. Evidence suggested “hands‑on‑keyboard” activity, which means the attacks were manually carried out rather than fully automated. Attackers are chaining the flaws together to maintain persistence and avoid detection on compromised machines.

Microsoft has patched only one vulnerability (BlueHammer) as part of its April 2026 Patch Tuesday updates. The other two flaws (RedSun and UnDefend) remain unpatched, which leaves affected Windows systems exposed.

Mitigation strategies to reduce exposure and strengthen defenses

Organizations should treat these vulnerabilities as an immediate security priority by applying available patches as soon as possible and tightening defensive controls. Microsoft has already released a fix for BlueHammer, so ensuring systems are fully up to date is important. For the unpatched flaws, organizations should strengthen endpoint monitoring, restrict local administrator privileges, and monitor suspicious behaviors such as attempts to disable Microsoft Defender or unusual privilege‑escalation activity, which have been seen in active attacks.

Additionally, security teams are advised to assume attackers may chain multiple vulnerabilities together. This means enabling advanced threat detection, reviewing Defender configuration settings to ensure tamper protection is active, and preparing incident response plans in case of compromise. It’s recommended to ensure proactive monitoring, least‑privilege access policies, and rapid response readiness to reduce the potential impact of these ongoing exploits.