Threat actors are actively exploiting three recently leaked Windows security vulnerabilities, codenamed “BlueHammer”, “RedSun”, and “UnDefend”. These flaws significantly compromise system security by targeting Microsoft Defender mechanisms.
“BlueHammer” (CVE-2026-33825) and “RedSun” are local privilege escalation (LPE) flaws within Microsoft Defender, allowing attackers who have already gained initial access to elevate their privileges to SYSTEM. “UnDefend” is a separate vulnerability that can block Microsoft Defender definition updates, effectively blinding the antivirus from recognizing new threats.
While Microsoft addressed BlueHammer in the April 2026 Patch Tuesday updates, RedSun and UnDefend remain unpatched zero-days at the time of reporting.
How to check if you’re affected
All Windows systems running Microsoft Defender are potentially affected.
- Affected versions: Windows 10, Windows 11, and Windows Server environments running active Microsoft Defender installations.
- Check your update status: Verify if your system has installed the April 2026 Patch Tuesday cumulative updates to protect against “BlueHammer”. Go to Settings > Windows Update and check the update history.
- Until “RedSun” and “UnDefend” are patched, organizations should monitor for unexpected privilege escalation events and manually verify that Defender definition updates are successfully downloading and applying.