CVE-2026-33825: Windows Defender Triple Zero-Day — BlueHammer, RedSun & UnDefend [HIGH · CVSS 7.8]

BySujit Mahakhud

CVE-2026-33825
CVSS 7.8 · HIGH
⚠ 2 Variants UNPATCHED
Actively Exploited

Triple Windows Defender Zero-Day: BlueHammer, RedSun & UnDefend

Microsoft Defender's threat remediation engine has become an attack surface. One researcher. Three exploits. Thirteen days. Two still unpatched — and all three confirmed in the wild.

Disclosed: April 7, 2026
Exploited in Wild: Confirmed April 17, 2026
Patch Status: BlueHammer Patched · RedSun & UnDefend OPEN
Author: Sujit Mahakhud

🔴 Quick Summary

A researcher going by "Chaotic Eclipse" dropped three fully weaponised Windows Defender local privilege escalation exploits in 13 days — CVE-2026-33825 (BlueHammer), RedSun, and UnDefend — all as a deliberate protest against Microsoft's MSRC handling of their reports. Every Windows 10, Windows 11, and Windows Server 2016–2025 endpoint with Defender enabled (virtually all of them) is in scope.

Microsoft patched BlueHammer in the April 14 Patch Tuesday. RedSun and UnDefend remain unpatched, and security firm Huntress confirmed all three exploits were used in live attacks by April 17. Threat actors are already chaining UnDefend (silently killing Defender updates) with RedSun (SYSTEM escalation) before moving laterally.

The Three Vulnerabilities at a Glance

BlueHammer
CVE-2026-33825
CVSS 7.8 HIGH
✓ Patched (Apr 14)

Type: Local Privilege Escalation — TOCTOU Race Condition in Defender's threat remediation engine. The exploit places a file that triggers a Defender detection, then uses a batch oplock to pause Defender mid-remediation. During that pause, an NTFS junction point redirects Defender's privileged write from a temp directory to C:\Windows\System32. Defender writes the attacker-controlled DLL as SYSTEM, granting full code execution.

RedSun
No CVE Assigned
⚠ UNPATCHED
Exploited in Wild

Type: Local Privilege Escalation via Defender's cloud file rollback mechanism. A crafted file triggers a Defender detection; the attacker replaces it with a Windows Cloud Files API placeholder via CldApi.dll. When Defender initiates cloud rollback, it writes to the file's "original location" — which an oplock + NTFS junction has redirected to C:\Windows\System32\TieringEngineService.exe. Fully effective even on fully patched April 2026 systems.

UnDefend
No CVE Assigned
⚠ UNPATCHED
Exploited in Wild

Type: Defense Evasion / Persistence. Unlike BlueHammer and RedSun, UnDefend does not escalate privileges. Instead, a standard unprivileged user can run it to silently block Windows Defender from receiving signature and definition updates. Over time this renders the endpoint increasingly blind to new malware. Attackers use UnDefend as the first stage — degrade Defender, then deploy RedSun for SYSTEM access.

Technical Deep-Dive

Root Cause: Trusted Defender Context Hijacked

All three exploits share a common design flaw: Windows Defender performs privileged filesystem operations without sufficiently validating that the target path remains stable between the check phase and the use phase — a textbook TOCTOU (Time-of-Check to Time-of-Use) class of vulnerability. Because MsMpEng.exe (the Defender Antimalware Service Executable) runs as SYSTEM, any file write it performs carries SYSTEM-level authority.

Attack Chain in Documented Incidents

Huntress documented the following kill chain observed in live attacks (confirmed April 17, 2026):

  1. Initial Access: Threat actor enters via compromised SSL VPN credentials.
  2. Stage 1 — Blind the Defender: Deploy UnDefend as a low-privileged user. Defender signatures stop updating. Detection coverage silently degrades.
  3. Stage 2 — Escalate to SYSTEM: Deploy RedSun. Abuse Defender's cloud rollback to write a SYSTEM-level shell. Full administrative control achieved.
  4. Stage 3 — Move Laterally: With SYSTEM access, dump credentials (SAM, LSASS) and begin lateral movement across the domain.

Affected Products & Versions

Client OS
Windows 10 (all supported versions)
Windows 11 (all supported versions)
Server OS
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server 2025
Condition
Windows Defender enabled (default on all installations)

Impact Assessment

🔑
Full SYSTEM Privileges
RedSun/BlueHammer grant NT AUTHORITY\SYSTEM from any unprivileged account. Attacker can read the SAM database, decrypt NTLM hashes, and spawn SYSTEM shells.
🛡️
AV Blindness (UnDefend)
Defender stops receiving signature updates, becoming progressively ineffective. Subsequent malware drops go undetected while the system appears healthy.
🌐
Enterprise-Wide Risk
With SYSTEM-level shell on any domain-joined device, attackers can dump credentials and move laterally. Domain compromise is a realistic downstream outcome.
⚠ Note: RedSun works on fully patched systems even after the April 14 Patch Tuesday. Applying Windows patches alone is not sufficient to remediate the current risk. See mitigations below.

Microsoft Sentinel KQL Detection Query

This query combines four detection signals: MsMpEng.exe writing PE files to System32 (BlueHammer/RedSun privilege escalation indicator), suspicious CldApi.dll usage from unusual paths (RedSun cloud API abuse), Defender definition update failures (UnDefend indicator), and sudden SYSTEM-process spawns from unprivileged parent processes.

// SecByte Detection: CVE-2026-33825 BlueHammer / RedSun / UnDefend
// Windows Defender Zero-Day Exploitation Indicators
// Microsoft Sentinel | Log Analytics | KQL
// Author: Sujit Mahakhud | secbyte.in | April 21, 2026

let lookback = 24h;

// SIGNAL 1: MsMpEng.exe writing PE/DLL files to System32
// Indicates BlueHammer or RedSun NTFS junction redirect succeeded
let Signal_MsMpEng_SystemWrite =
  DeviceFileEvents
  | where Timestamp > ago(lookback)
  | where InitiatingProcessFileName ==~ "MsMpEng.exe"
  | where ActionType in ("FileCreated", "FileModified")
  | where FolderPath startswith @"C:\Windows\System32"
  | where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".sys"
  // Exclude known-good Defender self-updates
  | where FolderPath !contains "Windows Defender"
  | where FolderPath !contains "MpSigStub"
  | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName,
    Signal="MsMpEng_System32_Write";

// SIGNAL 2: Suspicious CldApi.dll load from non-system paths
// RedSun cloud rollback abuse
let Signal_CldApi_Abuse =
  DeviceImageLoadEvents
  | where Timestamp > ago(lookback)
  | where FileName ==~ "CldApi.dll"
  | where InitiatingProcessFolderPath has_any(@"\Temp\", @"\AppData\", @"\Downloads\", @"\Public\")
  | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath,
    InitiatingProcessAccountName, Signal="CldApi_Suspicious_Load";

// SIGNAL 3: Defender definition update failures (UnDefend indicator)
// Repeated update failures suggest active suppression
let Signal_DefenderUpdateFail =
  SecurityEvent
  | where TimeGenerated > ago(lookback)
  | where EventID in (2001, 2003, 2004)
  | summarize FailureCount=count() by Computer, bin(TimeGenerated, 1h)
  | where FailureCount >= 3
  | project Timestamp=TimeGenerated, DeviceName=Computer, FailureCount,
    Signal="Defender_UpdateSuppressed";

// SIGNAL 4: Low-priv process spawning SYSTEM child
// Post-exploitation: unprivileged parent -> SYSTEM shell
let Signal_PrivEsc =
  DeviceProcessEvents
  | where Timestamp > ago(lookback)
  | where AccountName ==~ "SYSTEM"
      and InitiatingProcessAccountName !in ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
  | where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
  | project Timestamp, DeviceName, FileName, ProcessCommandLine,
    InitiatingProcessAccountName, Signal="Unprivileged_To_SYSTEM_Shell";

// COMBINE ALL SIGNALS
Signal_MsMpEng_SystemWrite
| union Signal_CldApi_Abuse, Signal_DefenderUpdateFail, Signal_PrivEsc
| summarize Signals=make_set(Signal), EventCount=count() by DeviceName, bin(Timestamp, 1h)
| extend Severity = iff(array_length(Signals) >= 2, "HIGH - Multiple Signals", "MEDIUM - Single Signal")
| order by array_length(Signals) desc, Timestamp desc

Requires Microsoft Defender for Endpoint (MDE) telemetry via DeviceFileEvents, DeviceImageLoadEvents, DeviceProcessEvents, and Windows Security Event logs.

Mitigation & Recommendations

  1. Apply April 2026 Patch Tuesday immediately — ensures CVE-2026-33825 (BlueHammer) is remediated. Update to Defender Antimalware Platform 4.18.26030.3011 or later. This does not fix RedSun or UnDefend.
  2. Enable Tamper Protection in Microsoft Defender — prevents UnDefend from blocking definition updates. Enforce via Intune or Group Policy.
  3. Deploy the Sentinel KQL query above — run it daily. Flag any device triggering Signal 3 (update failures) as a priority — it's the earliest UnDefend indicator.
  4. Monitor for anomalous NTFS junction point creation — use DeviceFileEvents filtered to ActionType == "ReparsePointChanged" under %TEMP%. Junction + MsMpEng activity = high-confidence exploit indicator.
  5. Restrict local code execution via AppLocker / WDAC — RedSun and UnDefend require running an executable locally. Signed-only execution policies raise the exploitation bar significantly.
  6. Watch for RedSun / UnDefend patches — Microsoft has not yet assigned CVEs or committed to a timeline. Subscribe to MSRC advisories for updates.
📌 Priority for Sentinel users: The KQL detection above is your most actionable control right now for RedSun and UnDefend. Patch alone is insufficient. Run it immediately, triage any device showing Defender_UpdateSuppressed, and escalate if correlated with Signal 4.

Published by Sujit Mahakhud · Microsoft Sentinel Specialist · secbyte.in · April 21, 2026

Similar Posts

Leave a Reply