Windows Defender CVE-2023-XXXX Critical 0-Day Actively Exploited
Key Takeaways Three Windows Defender privilege escalation vulnerabilities, including a zero-day (CVE-2026-33825), are being actively exploited in the wild. The exploits allow low-privileged local...
Key Takeaways
- Three Windows Defender privilege escalation vulnerabilities, including a zero-day (CVE-2026-33825), are being actively exploited in the wild.
- The exploits allow low-privileged local users to gain SYSTEM-level access on Windows 10, 11, and Server 2019.
- One vulnerability, CVE-2026-33825 (BlueHammer), was patched in April 2026; however, RedSun and UnDefend remain unpatched.
- Threat actors are using publicly available proof-of-concept code from GitHub, coupled with manual reconnaissance, against enterprise targets.
Active Exploitation of Windows Defender Vulnerabilities
Cybersecurity researchers have identified active exploitation of three recently disclosed privilege escalation vulnerabilities affecting Windows Defender. Threat actors are deploying proof-of-concept (PoC) exploit code, directly sourced from public GitHub repositories, against various enterprise targets.
Table Of Content
The situation escalated following the April 2, 2026, release of the “BlueHammer” exploit on GitHub by a security researcher known as Nightmare-Eclipse (also operating as Chaotic Eclipse). This release reportedly stemmed from a disagreement with Microsoft’s Security Response Center (MSRC) regarding the vulnerability disclosure process.
Designated as CVE-2026-33825, this zero-day vulnerability leverages a time-of-check to time-of-use (TOCTOU) race condition and a path confusion flaw within Windows Defender’s signature update mechanism. This allows a local user with low privileges to achieve SYSTEM-level access on fully updated Windows 10 and Windows 11 systems.
The exploit itself cleverly manipulates the interplay between Microsoft Defender’s file remediation logic, NTFS junction points, the Windows Cloud Files API, and opportunistic locks (oplocks), notably without requiring kernel exploits or memory corruption.
Shortly after the BlueHammer release, Nightmare-Eclipse unveiled two additional tools: RedSun, which also grants SYSTEM privileges on Windows 10, Windows 11, and Windows Server 2019, even post-April Patch Tuesday updates; and UnDefend, a utility designed to disrupt Defender’s update process, thereby progressively diminishing its protective capabilities.
Huntress Confirms Real-World Attacks
Analysts at Huntress have confirmed that threat actors are actively weaponizing all three techniques against live systems. Evidence shows binaries being staged in user-writable directories, specifically within “Pictures” folders and two-letter subfolders inside “Downloads” directories. These files often retain their original PoC filenames, such as FunnyApp.exe and RedSun.exe, though some instances show renaming to z.exe.
An incident on April 10, 2026, saw the execution of BlueHammer from:
C:Users[REDACTED]PicturesFunnyApp.exe
Windows Defender successfully blocked and quarantined the file, identifying it as Exploit:Win32/DfndrPEBluHmrBZ with a “Severe” severity classification. The threat was detected in real-time at 19:43:37 UTC and neutralized within two minutes.
A subsequent incident on April 16, 2026, involved:
C:Users[REDACTED]DownloadsRedSun.exe
This execution triggered a Virus:DOS/EICAR_Test_File alert. This EICAR test file is a deliberate component of RedSun’s attack, designed to lure Defender’s real-time engine into a detection-and-remediation loop that can then be exploited.
Furthermore, a secondary process, Undef.exe, was observed running with the command-line argument -agressive. This process was spawned as a child of cmd.exe under Explorer.EXE and flagged with “High” severity by ThreatOps Hunting rules.
Crucially, both exploitation attempts were preceded by manual enumeration commands, indicating hands-on-keyboard adversary activity. These commands included:
whoami /priv— for enumerating current user privilegescmdkey /list— to identify stored credentialsnet group— for mapping Active Directory group memberships
This pattern of pre-exploitation reconnaissance strongly suggests a skilled adversary conducting targeted intrusions rather than opportunistic, automated attacks.
Patch Status and Mitigations
Microsoft addressed CVE-2026-33825 (BlueHammer) in its April 2026 Patch Tuesday update cycle. However, RedSun and UnDefend remain unpatched at the time of this reporting, leaving numerous Windows systems vulnerable.
What You Should Do
- Apply all April 2026 Windows security updates immediately to patch CVE-2026-33825.
- Implement robust monitoring for unsigned executables appearing in user-writable directories, particularly
PicturesandDownloadssubfolders. - Configure alerts for any EICAR test file drops originating from non-administrative processes.
- Actively hunt for execution chains involving commands such as
whoami /priv,cmdkey /list, andnet groupwithin your endpoint telemetry. - Reinforce least-privilege principles across your environment to minimize the local access vectors required for successful exploitation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.