RedSun and UnDefend now weaponized — two Defender zero-days still unpatched

April 18, 2026

BlueHammer is patched, but RedSun and UnDefend are now actively exploited with no fix yet. Here is how to protect Defender-based Windows endpoints.

Huntress confirmed on April 17 that two of the three zero-days released by researcher Chaotic Eclipse are now being exploited in the wild. BlueHammer was patched in Microsoft's April 14 Patch Tuesday (CVE-2026-33825). RedSun and UnDefend still have no patch date from Microsoft, and proof-of-concept exploits have been public since April 16.

All three are Windows Defender vulnerabilities that let a low-privilege user escalate to SYSTEM on fully patched Windows 10 and Windows 11. The attacker only needs initial access — a phishing click, a vulnerable browser — and the path to the domain is open.

What changed since last week

When BlueHammer was released on April 10, there was no confirmation of in-the-wild exploitation. That has changed. Huntress reports BlueHammer exploitation since April 10 and RedSun / UnDefend exploitation since April 16. Microsoft is working on patches but has not announced a release date.

If you installed the April patch, BlueHammer is closed. The other two are open doors until Microsoft ships.

What to do on endpoints right now

Verify via Intune that the April update (KB for CVE-2026-33825) is actually installed on 100% of Windows clients. Not reported as compliant — verified by KB number.
Enable Tamper Protection everywhere. Review every Defender exclusion added in the last 30 days — if it has no documented owner, remove it.
Enable Attack Surface Reduction rules that block unknown processes from writing to Defender signature paths. In Intune: Endpoint Security → Attack Surface Reduction.
Threat hunt in Defender XDR: look for SYSTEM-context child processes spawned by MsMpEng.exe or MpCmdRun.exe from unusual paths. That is the signature.

Why Microsoft Business Premium customers are directly exposed

M365 Business Premium gives you Defender for Business and Intune. That is good. But these attacks abuse Defender's own signature update mechanism. All it takes is a user executing a malicious binary from a phishing click — then the attacker is SYSTEM and can turn Defender off themselves.

How HaggeBurger can help

We run a 2-hour Defender Patch Verification per customer that checks KB status, ASR rules and Tamper Protection. If you want to move on to a full Defender XDR Hardening Sprint, it takes 1–2 days.

Email hej@haggeburger.se and we will book your tenant this week.