Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Django SQL Injection Vulnerability Actively Exploited
July 10, 2026
Critical Typosquatting Attack on Braintree NuGet Steals Environment Secrets
July 10, 2026
Wireshark 4.6.7 Fixes Critical Vulnerabilities Allowing Remote Code Execution
July 10, 2026
Home/CyberSecurity News/Windows Defender CVE-2023-XXXX Critical 0-Day Actively Exploited
CyberSecurity News

Windows Defender CVE-2023-XXXX Critical 0-Day Actively Exploited

Key Takeaways Three Windows Defender privilege escalation vulnerabilities, including a zero-day (CVE-2026-33825), are being actively exploited in the wild. The exploits allow low-privileged local...

Marcus Rodriguez
Marcus Rodriguez
April 17, 2026 3 Min Read
43 0

Key Takeaways

  • Three Windows Defender privilege escalation vulnerabilities, including a zero-day (CVE-2026-33825), are being actively exploited in the wild.
  • The exploits allow low-privileged local users to gain SYSTEM-level access on Windows 10, 11, and Server 2019.
  • One vulnerability, CVE-2026-33825 (BlueHammer), was patched in April 2026; however, RedSun and UnDefend remain unpatched.
  • Threat actors are using publicly available proof-of-concept code from GitHub, coupled with manual reconnaissance, against enterprise targets.

Active Exploitation of Windows Defender Vulnerabilities

Cybersecurity researchers have identified active exploitation of three recently disclosed privilege escalation vulnerabilities affecting Windows Defender. Threat actors are deploying proof-of-concept (PoC) exploit code, directly sourced from public GitHub repositories, against various enterprise targets.

Table Of Content

  • Key Takeaways
  • Active Exploitation of Windows Defender Vulnerabilities
  • Huntress Confirms Real-World Attacks
  • Patch Status and Mitigations
  • What You Should Do

The situation escalated following the April 2, 2026, release of the “BlueHammer” exploit on GitHub by a security researcher known as Nightmare-Eclipse (also operating as Chaotic Eclipse). This release reportedly stemmed from a disagreement with Microsoft’s Security Response Center (MSRC) regarding the vulnerability disclosure process.

Designated as CVE-2026-33825, this zero-day vulnerability leverages a time-of-check to time-of-use (TOCTOU) race condition and a path confusion flaw within Windows Defender’s signature update mechanism. This allows a local user with low privileges to achieve SYSTEM-level access on fully updated Windows 10 and Windows 11 systems.

The exploit itself cleverly manipulates the interplay between Microsoft Defender’s file remediation logic, NTFS junction points, the Windows Cloud Files API, and opportunistic locks (oplocks), notably without requiring kernel exploits or memory corruption.

Shortly after the BlueHammer release, Nightmare-Eclipse unveiled two additional tools: RedSun, which also grants SYSTEM privileges on Windows 10, Windows 11, and Windows Server 2019, even post-April Patch Tuesday updates; and UnDefend, a utility designed to disrupt Defender’s update process, thereby progressively diminishing its protective capabilities.

Huntress Confirms Real-World Attacks

Analysts at Huntress have confirmed that threat actors are actively weaponizing all three techniques against live systems. Evidence shows binaries being staged in user-writable directories, specifically within “Pictures” folders and two-letter subfolders inside “Downloads” directories. These files often retain their original PoC filenames, such as FunnyApp.exe and RedSun.exe, though some instances show renaming to z.exe.

An incident on April 10, 2026, saw the execution of BlueHammer from:

  • C:Users[REDACTED]PicturesFunnyApp.exe

Windows Defender successfully blocked and quarantined the file, identifying it as Exploit:Win32/DfndrPEBluHmrBZ with a “Severe” severity classification. The threat was detected in real-time at 19:43:37 UTC and neutralized within two minutes.

A subsequent incident on April 16, 2026, involved:

  • C:Users[REDACTED]DownloadsRedSun.exe

This execution triggered a Virus:DOS/EICAR_Test_File alert. This EICAR test file is a deliberate component of RedSun’s attack, designed to lure Defender’s real-time engine into a detection-and-remediation loop that can then be exploited.

Furthermore, a secondary process, Undef.exe, was observed running with the command-line argument -agressive. This process was spawned as a child of cmd.exe under Explorer.EXE and flagged with “High” severity by ThreatOps Hunting rules.

Crucially, both exploitation attempts were preceded by manual enumeration commands, indicating hands-on-keyboard adversary activity. These commands included:

  • whoami /priv — for enumerating current user privileges
  • cmdkey /list — to identify stored credentials
  • net group — for mapping Active Directory group memberships

This pattern of pre-exploitation reconnaissance strongly suggests a skilled adversary conducting targeted intrusions rather than opportunistic, automated attacks.

Patch Status and Mitigations

Microsoft addressed CVE-2026-33825 (BlueHammer) in its April 2026 Patch Tuesday update cycle. However, RedSun and UnDefend remain unpatched at the time of this reporting, leaving numerous Windows systems vulnerable.

What You Should Do

  • Apply all April 2026 Windows security updates immediately to patch CVE-2026-33825.
  • Implement robust monitoring for unsigned executables appearing in user-writable directories, particularly Pictures and Downloads subfolders.
  • Configure alerts for any EICAR test file drops originating from non-administrative processes.
  • Actively hunt for execution chains involving commands such as whoami /priv, cmdkey /list, and net group within your endpoint telemetry.
  • Reinforce least-privilege principles across your environment to minimize the local access vectors required for successful exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerabilityzero-day

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Windows Snipping Tool Flaw CVE-2023-28303 Lets Attackers Spoof Networks

Next Post

New Ransomware ‘Payouts King’ Linked to Former BlackBasta Affiliates

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
ACSC Warns of Large-Scale CMS Exploitation Campaign Deploys Webshells on Vulnerable Websites
July 9, 2026
GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver to Disable Defenses
July 9, 2026
RedHook Android RAT Abuses ADB Wireless Debugging to Gain Shell-Level Access
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us