Security researchers at Huntress have identified active exploitation of three critical vulnerabilities affecting Microsoft Defender, with threat actors leveraging the flaws to escalate privileges on compromised systems. The three zero-day vulnerabilities—codenamed BlueHammer, RedSun, and UnDefend—were initially disclosed by independent security researcher Chaotic Eclipse and are now being weaponized in the wild.
The discovery marks a significant security concern for organizations relying on Microsoft Defender as their primary endpoint protection solution. Attackers exploiting these vulnerabilities can gain elevated system privileges, potentially allowing them to bypass security controls, install malware, or move laterally within network environments. The active exploitation indicates that threat actors have developed functional proof-of-concept code and are actively targeting vulnerable systems.
Of particular concern is that at least two of the three vulnerabilities remain unpatched, leaving systems exposed to ongoing attack campaigns. This extended window of vulnerability creates a critical risk period for enterprise environments and individual users who depend on Defender for protection. The situation underscores the challenges organizations face when zero-day vulnerabilities are disclosed before vendor patches become available.
Huntress's findings suggest that exploitation activity has moved beyond theoretical testing into real-world attacks. The group has advised organizations to implement immediate mitigation strategies while awaiting official security updates from Microsoft. The vulnerability disclosure highlights the importance of defense-in-depth strategies, where security teams should not rely solely on endpoint protection solutions and should implement additional layered security controls.
Microsoft has not yet released official statements regarding patch timelines for the remaining vulnerabilities. Organizations using Microsoft Defender are encouraged to monitor their systems for suspicious activity, implement network segmentation, and consider deploying additional monitoring tools to detect potential exploitation attempts. Security professionals recommend maintaining up-to-date security practices while awaiting vendor remediation, including regular security audits and threat hunting activities focused on detecting signs of privilege escalation attacks.