Signal
Three Microsoft Defender zero-days exploited in active attacks, two remain unpatched
Evidence first: scan the strongest sources, then decide whether to go deeper.
redditrss
cveexploitmalwareincident_responsesecurity_tooling
Trend in the last 24h
Current brief openSource links open
This current signal is open on the public brief with summary, metadata, source links, and full evidence. Pro adds compare-over-time, alerts, exports, and workflow.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
Security researchers have disclosed three zero-day vulnerabilities in Microsoft Defender that are actively exploited by threat actors to escalate privileges on Windows 10 and 11 systems.
Entities
MicrosoftHuntressRedSunBlueHammerUnDefendChaotic Eclipse
Score total
1.89
Momentum 24h
5
Posts
5
Origins
5
Source types
2
Duplicate ratio
0%
Why now
- Proof-of-concept exploits were recently published, increasing risk of exploitation.
- Threat actors are actively exploiting these flaws in the wild.
- Microsoft patched some but not all vulnerabilities in April 2026, leaving gaps.
Why it matters
- These zero-days allow attackers to gain SYSTEM privileges, risking full system compromise.
- Two of the vulnerabilities remain unpatched, exposing users to ongoing attacks.
- Microsoft Defender is widely used, so these flaws impact a large user base.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- Three zero-day vulnerabilities in Microsoft Defender are actively exploited in the wild to gain elevated privileges.
- RedSun exploits Microsoft Defender's handling of cloud-tagged files to overwrite system files and escalate privileges.
- UnDefend allows a standard user to block Defender signature updates or disable Defender entirely.
How sources frame it
- Help Net Security: neutral
- CSO Online: neutral
- The Hacker News: neutral
All evidence
All evidence
The Hacker News - Microsoft Defender zero-days exploited
thehackernews.com · thehackernews.com · 2026-04-17 13:21 UTC
CSO Online - RedSun exploit abuses Defender's cloud file handling
csoonline.com · csoonline.com · 2026-04-17 11:55 UTC
Help Net Security - Researcher drops two more Defender zero-days
helpnetsecurity.com · helpnetsecurity.com · 2026-04-17 10:04 UTC
Recently leaked Windows zero-days now exploited in attacks
bleepingcomputer_all · bleepingcomputer.com · 2026-04-17 06:14 UTC
Windows Defender realizes that a malicious file has a cloud tag decides that it is a good idea to just rewrite the file it found again to it's origin... (via Reddit)
RedSun · github.com · 2026-04-17 01:15 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -
Showing 5 / 0
Top publishers (this list)
- thehackernews.com (1)
- csoonline.com (1)
- helpnetsecurity.com (1)
- bleepingcomputer_all (1)
- RedSun (1)
Top origin domains (this list)
- thehackernews.com (1)
- csoonline.com (1)
- helpnetsecurity.com (1)
- bleepingcomputer.com (1)
- github.com (1)