Leaked Windows Defender zero-days are already being used to gain SYSTEM access
Lucas OliveiraResearchSummarize with:
Share
Leaked Windows Defender zero-days are already being used to gain SYSTEM access
A fast-moving Windows story matters to defenders this week for a simple reason: public proof-of-concept code is no longer just research theater. Reporting from BleepingComputer says threat actors are already using three recently leaked Windows privilege-escalation techniques in real attacks, including two paths tied to Microsoft Defender behavior that can still help an attacker move from basic user access to full SYSTEM control.
The bigger lesson is operational, not academic. If an attacker already has an initial foothold, a still-usable local exploit, an unpatched zero-day, or a security-product logic weakness can turn a "contained" compromise into a full endpoint takeover very quickly.
What is happening
According to BleepingComputer, Huntress researchers observed attackers using three techniques associated with researcher "Chaotic Eclipse" in active intrusions:
- BlueHammer, now tracked by Microsoft as CVE-2026-33825
- RedSun, a Microsoft Defender local privilege-escalation path
- UnDefend, a technique that can interfere with Defender definition updates
The reporting says BlueHammer had already been exploited in the wild from April 10. It also says RedSun and UnDefend were seen on a device initially breached through a compromised SSLVPN user account, with evidence of hands-on-keyboard activity after the initial access stage.
That sequence matters. These are not being described as internet-scale wormable bugs. They are the kinds of local vulnerability and product-behavior abuse paths that become dangerous once an attacker lands on the box through phishing, stolen credentials, exposed remote access, or another valid entry route.
Why defenders should pay attention
BlueHammer was patched in April as CVE-2026-33825. But the broader defender problem is not solved just because one item in the cluster got a patch.
BleepingComputer's RedSun coverage says the technique can still grant SYSTEM privileges on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems when Defender is enabled. The write-up describes abuse of Defender and Cloud Files behavior to overwrite a system binary and trigger execution as SYSTEM.
If that reporting holds across target environments, the implication is uncomfortable but clear:
- a low-privilege attacker may still be able to reach SYSTEM
- fully patched does not necessarily mean fully closed
- endpoint trust assumptions can fail around product logic, not only missing updates
That is exactly why local privilege escalation should sit near the top of post-compromise risk reviews. Once an attacker reaches SYSTEM, they can tamper with controls, expand persistence, dump additional secrets, and complicate incident response.
The real enterprise risk
This story is easy to misread as a niche Windows research dispute. That would be a mistake.
The real enterprise issue is chaining. BleepingComputer says researchers saw RedSun and UnDefend on a machine that had already been accessed through a compromised VPN user. That is a realistic enterprise path:
- steal or buy valid credentials
- access a remote entry point that looks legitimate
- escalate locally to admin or SYSTEM
- weaken protections and expand control on the host
For security teams, the problem is not only patch cadence. It is whether identity, remote access, endpoint hardening, and behavioral detection are strong enough to stop the chain before or after the attacker reaches the endpoint.
What to do now
1. Treat this as a post-compromise priority, not only a patch story
If you focus only on whether CVE-2026-33825 is patched, you may miss the broader exposure. Review whether Microsoft Defender-related privilege-escalation behavior and definition-update tampering techniques can still succeed in your environment.
2. Hunt for suspicious privilege jumps on recently accessed endpoints
Prioritize systems reached through VPN, remote administration tools, helpdesk workflows, or fresh credential-based logins. Look for unexpected SYSTEM-level process launches, service-binary changes, protected-file rewrites, and unusual Defender-related events.
3. Validate that endpoint controls resist tampering
This is a good moment to test how well your endpoint detection and response stack records Defender service abuse, protected file replacement, reparse-point tricks, and follow-on privilege escalation activity.
4. Re-check identity and remote-access hygiene
Because at least one observed intrusion reportedly started with a compromised SSLVPN account, review MFA strength, session controls, impossible-travel detections, dormant account exposure, and risky administrative access paths.
5. Prepare for layered containment
If you suspect this activity, contain both the user path and the host path. Reset and rotate credentials, review VPN access, isolate the endpoint, and verify whether local changes were used to weaken Defender or stage persistence.
Strategic takeaway
The most important takeaway is not that another Windows proof-of-concept was published. It is that leaked local privilege-escalation techniques can cross into active attacker tradecraft almost immediately, especially when they help convert normal user access into SYSTEM-level control.
For defenders, that means the bar is higher than "Patch Tuesday is done." You need to verify whether privileged process behavior, Defender tampering, and post-access escalation paths are actually detectable and containable in the real environment.
What is BlueHammer?
BlueHammer is the name used publicly for a Windows local privilege-escalation issue that Microsoft now tracks as CVE-2026-33825 and patched in April 2026.
What is RedSun?
RedSun is a reported Microsoft Defender local privilege-escalation technique that BleepingComputer says can grant SYSTEM privileges on fully patched supported Windows systems when Defender is enabled.
Why does SYSTEM access matter so much?
SYSTEM is one of the highest privilege levels on Windows. Reaching it can let attackers disable protections, alter services, persist more deeply, and take broader control of the endpoint.
What should teams do first?
Patch BlueHammer where relevant, then validate detection and containment around Defender tampering, local privilege escalation, and credential-based remote entry paths such as VPN access.
References
Written by
Lucas Oliveira
Research
A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.
Get the latest cybersecurity insights in your inbox.
You Might Also Like
More in vulnerability →
vulnerabilityCVE-2026-20182 makes Cisco SD-WAN controllers an urgent KEV priority
CVE-2026-20182 makes Cisco SD-WAN controllers an urgent KEV priority CVE-2026-20182 is not landing as a routine patch bulletin. Cisco says the flaw is already b...
vulnerabilityExim BDAT flaw makes mail servers urgent RCE patch targets
Exim BDAT flaw makes mail servers urgent RCE patch targets CVE-2026-45185 is the kind of bug that forces defenders to remember an old lesson: email infrastructu...
vulnerabilityDirty Frag Linux kernel zero-day gives local users a fast path to root
Dirty Frag Linux kernel zero-day gives local users a fast path to root Dirty Frag is the kind of Linux bug defenders worry about because it turns a limited foot...