Full Report
Threat actors are exploiting three recently disclosed Windows security vulnerabilities in attacks aimed at gaining SYSTEM or elevated administrator permissions. [...]
Analysis Summary
This summary focuses on a set of three critical Windows vulnerabilities discovered and leaked by the researcher "Chaotic Eclipse" (aka "Nightmare-Eclipse").
---
# Vulnerability: Microsoft Defender Privilege Escalation and Update Denial
## CVE Details
- **CVE ID:** CVE-2026-33825 (BlueHammer); Others remain unassigned/TBD.
- **CVSS Score:** ~7.8 (Estimated High)
- **CWE:** CWE-59 (Improper Link Resolution) / CWE-269 (Improper Privilege Management)
## Affected Systems
- **Products:** Microsoft Windows, Microsoft Defender
- **Versions:** Windows 10, Windows 11, and Windows Server 2019 and later.
- **Configurations:** Systems running Microsoft Defender with active signature updates/cloud-protection enabled.
## Vulnerability Description
This group consists of three distinct flaws:
1. **BlueHammer (CVE-2026-33825):** A local privilege escalation (LPE) vulnerability within Microsoft Defender.
2. **RedSun:** An LPE vulnerability that abuses how Microsoft Defender handles malicious files with "cloud tags." When Defender identifies a flagged file, it erroneously attempts to rewrite/restore the file to its original location. By using symbolic links (symlinks), an attacker can redirect this write operation to overwrite critical system files, ultimately gaining **SYSTEM** privileges.
3. **UnDefend:** A vulnerability that allows a standard non-privileged user to block Microsoft Defender from receiving definition updates, effectively "freezing" the AV's detection capabilities.
## Exploitation
- **Status:** **Exploited in the Wild.** Huntress Labs has confirmed active "hands-on-keyboard" threat actor activity using these exploits.
- **Complexity:** Low (Public Proof-of-Concept code is widely available on GitHub).
- **Attack Vector:** Local (Requires initial access to the system, e.g., via compromised SSLVPN credentials).
## Impact
- **Confidentiality:** High (Full system access via SYSTEM privileges)
- **Integrity:** High (Ability to overwrite system files and disable security updates)
- **Availability:** Medium (Security services can be degraded)
## Remediation
### Patches
- **CVE-2026-33825 (BlueHammer):** Resolved in Microsoft’s **April 2026 Security Updates**.
- **RedSun / UnDefend:** No official patches are currently available (as of April 17, 2026). These remain **Zero-Day** vulnerabilities.
### Workarounds
- **Strict Access Control:** Ensure standard users do not have the ability to create symbolic links in sensitive directories where possible.
- **Alternative AV:** Using a third-party Endpoint Detection and Response (EDR) or Antivirus solution may mitigate the RedSun/UnDefend flaws, as they specifically target Microsoft Defender’s logic.
## Detection
- **Indicators of Compromise (IoCs):**
- Presence of PoC files from the "Nightmare-Eclipse" or "Chaotic Eclipse" GitHub repositories.
- Unusual file-write activities initiated by `MsMpEng.exe` (Microsoft Defender service) to sensitive system directories.
- **Detection Methods:**
- Monitor for event logs indicating failed Microsoft Defender definition updates (potential UnDefend exploitation).
- Audit for the creation of symbolic links by non-administrative users in non-standard directories.
## References
- **Vendor Advisory:** [https]://msrc.microsoft.com/update-guide/ (Search for CVE-2026-33825)
- **Researcher Repositories:** [https]://github.com/Nightmare-Eclipse/RedSun | [https]://github.com/Nightmare-Eclipse/UnDefend
- **Huntress Labs Report:** [https]://x.com/HuntressLabs/status/2044882050314817880
- **News Coverage:** [https]://www.bleepingcomputer.com/news/security/recently-leaked-windows-zero-days-now-exploited-in-attacks/