Signal

Three Microsoft Defender zero-days actively exploited, two remain unpatched

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-04-17 01:15 UTCUpdated 2026-04-17 22:53 UTC

rss

cveexploitsmalwareincident_responsesecurity_tooling

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (5)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (4 domains)

4 top sources shown

Another PoC exploit released by 'BlueHammer' leaker after Microsoft dispute

SC Media · News · scworld.com · 2026-04-17 22:53 UTC

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

The Hacker News · News · thehackernews.com · 2026-04-17 13:21 UTC

Caught, Quarantined, Re-installed: RedSun turns Microsoft Defender on itself

CSO Online · News · csoonline.com · 2026-04-17 11:55 UTC

Researcher drops two more Microsoft Defender zero-days, all three now exploited in the wild

Help Net Security · News · helpnetsecurity.com · 2026-04-17 10:04 UTC

View all evidence

Overview

Security researchers have identified active exploitation of three recently disclosed Microsoft Defender zero-day vulnerabilities—BlueHammer, RedSun, and UnDefend.

Entities

MicrosoftBlueHammerRedSunUnDefendChaotic Eclipse

Score total

1.59

Momentum 24h

5

Posts

5

Origins

5

Source types

1

Duplicate ratio

0%

Why now

Proof-of-concept exploits were recently published publicly by a security researcher.
Two of the three zero-days remain unpatched despite active exploitation.
Microsoft released a patch for one issue in April, but attackers continue leveraging other flaws.

Why it matters

Unpatched zero-days in widely used antivirus software increase risk of privilege escalation attacks.
Exploitation of Defender vulnerabilities can disable or bypass critical endpoint protections.
Active exploitation highlights urgency for organizations to monitor and mitigate these threats.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: high

Recurring claims

Three Microsoft Defender zero-day vulnerabilities are actively exploited in the wild.
The RedSun vulnerability allows privilege escalation by exploiting Defender's cloud file handling, causing it to overwrite protected system files.

How sources frame it

The Hacker News: neutral
Help Net Security: neutral
CSO Online: neutral

All evidence

All evidence

Another PoC exploit released by 'BlueHammer' leaker after Microsoft dispute

SC Media · scworld.com · 2026-04-17 22:53 UTC

Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched

The Hacker News · thehackernews.com · 2026-04-17 13:21 UTC

Caught, Quarantined, Re-installed: RedSun turns Microsoft Defender on itself

CSO Online · csoonline.com · 2026-04-17 11:55 UTC

Researcher drops two more Microsoft Defender zero-days, all three now exploited in the wild

Help Net Security · helpnetsecurity.com · 2026-04-17 10:04 UTC

Recently leaked Windows zero-days now exploited in attacks

bleepingcomputer_all · bleepingcomputer.com · 2026-04-17 06:14 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 5Origin domains: 5Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 5 / 0

Top publishers (this list)

SC Media (1)
The Hacker News (1)
CSO Online (1)
Help Net Security (1)
bleepingcomputer_all (1)

Top origin domains (this list)

scworld.com (1)
thehackernews.com (1)
csoonline.com (1)
helpnetsecurity.com (1)
bleepingcomputer.com (1)