The software sitting on your endpoint right now, the one you have trusted for years to catch threats before they cause damage, is currently the attack surface.
Three zero-day exploits targeting Microsoft Defender were publicly dropped in April 2026.
All three were weaponized in real attacks within days of being released.
One has since been patched. Two have not!!
And here is the part worth sitting with…
If your organization has applied every patch Microsoft has released this month, you are still exposed to two of these three exploits right now, today.
The actual situation is:
- 13 Days between the first exploit release and all three being used in live attacks.
- 2 Exploits still unpatched as of April 26, 2026, affecting fully updated systems.
- May 7 CISA deadline for federal agencies to patch BlueHammer.
How a disgruntled researcher handed attackers a free toolkit
The backstory here matters…
These exploits did not emerge from a sophisticated nation-state operation or a dark web broker. They came from a single security researcher, going by the handle Chaotic Eclipse, who tried to report a vulnerability to Microsoft’s Security Response Center and felt completely ignored.
On April 3, the researcher published a working proof-of-concept exploit, BlueHammer, directly to GitHub. Not a technical write-up. Not a vague disclosure. A functioning exploit, complete with documentation and instructions.
The post was explicit: Microsoft had been sitting on this, and the researcher had run out of patience.
Microsoft patched BlueHammer on April 14 as part of the April Patch Tuesday release. Then something that rarely happens happened. Two days later, on April 16, the same researcher dropped two more exploits into the same GitHub repository.
RedSun and UnDefend. Both targeting Defender. Neither with a patch available.
The repository remains publicly accessible. Anyone can download it.
The responsible disclosure debate is a genuine and complicated one. But what matters operationally is this: at the moment these exploits went public, the race began. Attackers had a working toolkit. Defenders had nothing to counter two of the three techniques. That asymmetry has not closed.
What each exploit actually does
These are not variations on the same theme. Each one targets a different mechanism inside Defender, which is exactly what makes them collectively so difficult to address.
Patched: April 14
BlueHammer
Abuses Defender’s signature update process. Uses an opportunistic lock to pause Defender mid-operation, then redirects a file write, under full SYSTEM privileges, to overwrite a legitimate system binary. Extracts password hashes from the SAM database and escalates to SYSTEM. Works on Windows 10 and 11.
No patch available
RedSun
Targets Defender’s cloud file rollback mechanism. Tricks Defender into attempting to restore a non-existent malicious file, redirecting the write to System32. Achieves SYSTEM privileges. Works with approximately 100% reliability on fully patched Windows 10, 11, and Server 2019 and later, even after applying the April updates.
No patch available
UnDefend
A denial-of-service attack against Defender’s update pipeline. In passive mode, it blocks all signature updates silently, making Defender blind to any new threats. In aggressive mode, it disables Defender entirely when Microsoft pushes a major platform update. No privilege escalation required; a standard user account is enough.
Used individually, each of these is a serious problem. Used together, they form a chain.
An attacker uses BlueHammer or RedSun to reach SYSTEM-level access. They then deploy UnDefend to quietly strangle Defender’s ability to detect follow-on activity. The endpoint’s protection layer degrades silently over time, the attacker entrenches, and nothing visible alerts anyone that something is wrong.
WME Security Services researchers described it bluntly…
“It is a layered degradation strategy, not a one-shot exploit. The goal is not a single dramatic breach. It is slow, sustained access while the lights go out on your defenses one by one.”
Applying every patch is not enough
This deserves direct attention because it changes how organizations need to think about their current exposure.
BlueHammer has a patch. If your systems have received the April 14 security updates, you are protected against that specific technique.
But RedSun works with near-perfect reliability on every fully patched Windows 10, Windows 11, and Windows Server 2019 and later system available today.
There is no mitigation Microsoft has shipped for it. No workaround. No registry key to flip.
Operating Inside the Trust Boundary
UnDefend sits in the same position. A standard user can run it. It does not require elevated privileges to start degrading Defender’s ability to function. You could have the most current patches, a fully updated system, and a user running UnDefend from their Downloads folder would quietly start starving Defender of the signature updates it needs to detect anything new.
This is the uncomfortable reality of the current exposure window…
Your patch compliance status has no bearing on two of these three threats. The question is not whether you are patched. The question is what else is operating independently of your endpoint protection layer.
When exploits succeed by operating inside the trust boundary that endpoint agents depend on, detection has to come from somewhere else.
Network telemetry, identity monitoring, and behavioral analysis that sits outside the endpoint stack are not nice-to-haves right now. They are the practical fallback while this remains unresolved.
The pattern this fits into
April 2026 has been an extraordinary month for Microsoft vulnerabilities.
The April Patch Tuesday release addressed 168 vulnerabilities, the second-largest release in Microsoft’s history.
It included the actively exploited SharePoint zero-day, a critical unauthenticated remote code execution bug in the Windows IKE service, an Active Directory RCE flaw rated as likely to be exploited, and now three Defender zero-days with two still open.
Surge in Discovery, Shrinking Windows
That volume is not a coincidence of timing. Security researchers have noted that the incoming rate of vulnerability reports has roughly tripled in recent months, driven partly by AI-assisted discovery tools that can surface flaws at a scale and speed that was not previously possible.
The patch cycle is trying to absorb a dramatically higher throughput of identified vulnerabilities, and the exploitation window, the gap between public disclosure and a working patch, is where organizations are most exposed.
Defender Under Pressure
Defender specifically has had a difficult April. Within thirteen days, three separate zero-days targeting different parts of its internal architecture were publicly disclosed and actively exploited.
What to do right now
1: Apply the April 2026 Patch Tuesday updates across all Windows systems immediately if you have not already. This removes BlueHammer from the equation, even though RedSun and UnDefend remain unpatched.
2: Watch for the command sequence: whoami /priv, cmdkey /list, and net group running in quick succession from a standard user. This strongly indicates active attacker activity.
3: Treat any SSLVPN or remote access credential compromise as high severity. A single account can be escalated to SYSTEM access within minutes.
4: Baseline the SHA-256 hash of C:\Windows\System32\TieringEngineService.exe across endpoints. Any change is a direct indicator of RedSun exploitation.
5: Enforce Attack Surface Reduction rules. Block execution from user-writable directories like Downloads and Temp, where exploits are typically staged.
6: Monitor Defender update failures or stalled signatures. Silent disruption of updates is the first visible sign of UnDefend activity.
7: Track Microsoft advisories for patches to RedSun and UnDefend. When released, treat them as emergency updates.
The question worth asking your team today
If Defender is compromised on an endpoint, what detects the next step? If the answer relies on the same endpoint stack, the gap is real.
Organizations handling this best have monitoring outside the endpoint i.e. network, identity, and behavioral visibility that stays intact even if Defender doesn’t.
Also test response readiness now:
if Defender is tampered with on multiple endpoints, how quickly would you know, and what happens in the first 30 minutes?
How WME helps you stay protected when your endpoint layer cannot
WME Security Services provide the independent visibility layer that situations like this one depend on, continuous monitoring, behavioral detection, and round-the-clock response that operates outside the endpoint stack.
