Cybersecurity professionals are closely tracking three zero-day vulnerabilities in Microsoft Defender — dubbed BlueHammer, RedSun, and UnDefend — that are being actively exploited by malicious actors to gain elevated access on compromised systems. The vulnerabilities were brought to light by a security researcher operating under the pseudonym Chaotic Eclipse, who went public with the findings after taking issue with Microsoft’s handling of the reporting process.
The Three Zero-Day Vulnerabilities Explained
Chaotic Eclipse’s disclosure centers on three distinct flaws within Microsoft Defender, each carrying serious implications for organizations that depend on the software as a primary line of defense. Though different in their mechanics, all three vulnerabilities share a common outcome: they enable attackers to escalate privileges on targeted machines, potentially granting full control over affected systems.
- BlueHammer : Enables attackers to execute unauthorized code, opening a direct path to system control and deeper network compromise.
- RedSun : Facilitates privilege escalation, granting attackers higher-level access than they would otherwise have on a targeted system.
- UnDefend : Exploits weaknesses within Defender’s own processes, undermining the very tool organizations rely on for protection and potentially leaving systems entirely exposed.
The combination of these three vulnerabilities creates a layered threat — attackers can chain or independently leverage these flaws to move laterally through environments, elevate their permissions, and entrench themselves within compromised infrastructure. For security teams, the active exploitation of all three makes the situation particularly urgent.
Chaotic Eclipse Criticizes Microsoft’s Disclosure Process
At the center of this disclosure is a broader debate over how major technology vendors respond when researchers flag critical security issues. Chaotic Eclipse did not simply release technical findings — the researcher was openly critical of Microsoft’s approach to handling the reported vulnerabilities, citing what they described as inadequate responsiveness and delays in the patching process.
This kind of friction between independent researchers and large vendors is not new. However, when it results in the public release of zero-day details before patches are available, the consequences fall squarely on end users and organizations still running vulnerable systems. The disclosure of BlueHammer, RedSun, and UnDefend follows this pattern and puts additional pressure on Microsoft to move quickly.
Concerns raised by the researcher reflect wider frustrations within the security community:
- Prolonged delays in vulnerability patching leave organizations exposed to risks that could otherwise be addressed quickly.
- Insufficient communication between vendors and researchers can derail responsible disclosure timelines.
- When remediation stalls, public disclosure — however disruptive — is sometimes seen as the only remaining lever available to researchers.
Risk Mitigation Steps Organizations Should Take Now
With active exploitation confirmed and no patch yet available at the time of disclosure, security teams cannot afford a passive response. Organizations relying on Microsoft Defender should treat this as a high-priority threat and take immediate steps to reduce their exposure.
Security professionals are advised to monitor systems for unusual privilege escalation activity, review endpoint detection logs for anomalous Defender process behavior, and implement additional access controls where possible while awaiting an official patch from Microsoft. Threat intelligence feeds should be checked regularly for indicators of compromise tied to BlueHammer, RedSun, and UnDefend.
The active exploitation of three simultaneous zero-days within a widely deployed security product serves as a stark reminder that no tool is immune from attack. Until Microsoft issues formal remediation guidance, vigilance and layered defenses remain the most reliable course of action for protecting affected environments.
