In a 13-day window in April 2026, an anonymous security researcher dropped three working zero-day exploits against Windows Defender — Microsoft's flagship endpoint protection product — and Microsoft has so far patched only one of them. As of late April, BlueHammer (CVE-2026-33825) is fixed; RedSun and UnDefend remain open. All three are being exploited in the wild.
The timeline reads like a coordinated protest. BlueHammer was disclosed on April 7 with no prior fix in place — making it a true zero-day. Microsoft scrambled the vulnerability into the April 8 Patch Tuesday cycle, where it was assigned a CVSS of 7.8 and tracked as a local privilege escalation through Defender's file remediation logic. By April 10, real-world exploitation was confirmed by Huntress Labs. Then, on April 16, the same researcher released RedSun and UnDefend — both as full PoCs, both without coordinated disclosure, both currently weaponized in active campaigns.
The researcher's stated reason was that Microsoft's Security Response Center (MSRC) had repeatedly mishandled prior submissions — closing reports as "duplicates" without investigation, downgrading severity, and in one case allegedly leaving a previously reported issue unfixed long enough that another researcher independently weaponized it. Whatever the merits of the grievance, the result is the same: Windows 10, Windows 11, and Windows Server 2016 through 2025 are exposed if Defender is enabled, which on most enterprise fleets means every endpoint.
The technical details get worse the more you read them. RedSun chains an integer overflow in Defender's scan engine with a kernel-mode write to bypass exploit mitigations entirely. UnDefend is more devious — instead of attacking the system, it disables Defender's update channel, gradually starving it of new signatures while leaving the user-facing UI looking healthy. A successful UnDefend deployment can sit on a machine for weeks before anyone notices the protection has effectively been turned off.
This places defenders in a no-win position. Microsoft has not committed a fix date. Group policy mitigations exist but require pushing aggressive policy changes across managed fleets, which most enterprises cannot do in 48 hours without triggering helpdesk avalanches. CISA added BlueHammer to the Known Exploited Vulnerabilities catalog and gave federal agencies until April 28 to patch — that's tomorrow. The same urgency does not apply to private sector, but the threat model is identical.
What makes this story matter beyond the immediate IR scramble is the meta-question it raises about responsible disclosure. The researcher took a deeply unethical path. Public PoCs without coordinated disclosure, especially against actively-deployed security software, hand attackers free weapons. But if Microsoft's own processes were as broken as the disclosure note alleges, then the system designed to prevent exactly this scenario was already failing. The community is staring at an uncomfortable question: when MSRC fails repeatedly, what is a researcher supposed to do that doesn't end with this outcome?
My Perspective: This Is What Happens When Trust in the Process Breaks
I want to be direct: dropping working zero-day exploits into the wild without coordinated disclosure is wrong. People will be hurt — small businesses without dedicated security teams, hospitals running aging Windows infrastructure, schools, local governments. The collateral damage is real and the researcher does not get a free pass on that.
But the corporate side of this story is not innocent either. The scaling problem at MSRC has been an open secret for years. Researchers who report bugs through proper channels routinely describe a process that feels designed to dispose of reports rather than investigate them. Severity downgrades, "duplicate" closures without explanation, indefinite "under review" statuses — these are not new complaints. The April 2026 disclosure spree is what happens when a system that is supposed to absorb pressure releases it all at once.
For security teams reading this Monday morning, the actionable advice is unsexy but urgent. Audit which endpoints in your environment are running Defender as the sole or primary AV. Apply the published mitigations for RedSun and UnDefend (group policy hardening, restricted-admin mode, attack surface reduction rules). Watch your Defender update telemetry — that's where UnDefend hides. And do not assume "I patched the April Patch Tuesday cycle" means you're safe. Two of three are still open.
For everyone else, the lesson is harder. Endpoint security software is itself attack surface. We have known this since CrowdStrike's 2024 outage and the various Defender bugs of the years before, but the industry keeps treating "more security tools" as a substitute for "fewer bugs in the security tools we have." A defender with three actively exploited zero-days is not a defender. It is, at best, a door with a sign that says "defender" hanging on it.