Windows Defender Under Fire: Three Zero-Days in Thirteen Days

One researcher. Three Windows Defender zero-days. Thirteen days. That cadence has left most corporate Windows estates carrying at least one unpatched privilege escalation bug this week, with CISA ordering federal agencies to fix the first of them by 6 May.

What Happened

On 7 April, a proof-of-concept exploit named BlueHammer (CVE-2026-33825) was published, showing how an unprivileged local user could gain SYSTEM access on fully patched Windows 10 and Windows 11 machines. The flaw sits in Windows Defender's threat remediation engine, which performs privileged file operations during malware cleanup without adequately validating file paths at the moment of writing. Exploit code pauses Defender mid-operation with a batch opportunistic lock, then swaps in an NTFS junction that redirects the cleanup into C:\Windows\System32. Microsoft shipped a patch on 14 April as part of Patch Tuesday, but the same researcher then released two further Defender zero-days, RedSun and UnDefend, both unpatched at time of writing. BlueHammer has been weaponised in the wild since 10 April, and CISA added it to its Known Exploited Vulnerabilities catalogue on 22 April.

Why It Matters

Every Australian organisation running Windows 10 or 11 with the default Defender configuration is in scope. For federal and state government, financial services and health, sectors where Defender is the baseline endpoint protection, the disclosure means a patched-but-still-exposed window of at least two weeks for the two remaining bugs. A local privilege escalation to SYSTEM is exactly the kind of step adversaries need to turn a phishing click, a stolen credential, or commodity malware into full host compromise.

What Security Teams Should Do Now

• Confirm the April 2026 Patch Tuesday update is deployed to every Windows endpoint, not just the servers and workstations in the golden image; prioritise laptops that have missed recent check-ins.

• For RedSun and UnDefend, both still unpatched at time of writing, watch Microsoft's Security Update Guide daily and deploy fixes as soon as they ship.

• Review Defender logs for unusual remediation events involving junction points, oplocks, or writes under C:\Windows. These are the footprints of a BlueHammer-style chain.

• Tighten initial access. Enforce MFA on all remote access paths, strip local admin from standard users, and apply attack surface reduction rules that limit LOLBin abuse.

• Confirm EDR telemetry is feeding a SIEM the team actually watches. A privilege escalation that goes unnoticed for days is the same as not having EDR at all.

• Run a focused assurance exercise. Simulate the BlueHammer chain in a lab or test environment before assuming the patch has worked in production.

Aurian's Take

Three zero-days in the same product inside thirteen days, dropped by one researcher, says something about how much untested logic sits inside the tools Australian organisations depend on. Endpoint protection is code: written under commercial pressure, shipped at scale, trusted by default. When that code mishandles a TOCTOU race in its remediation path, the consequence is not a missed detection but an attacker-controlled SYSTEM shell on a fully patched machine. The broader pattern will be familiar to anyone who has spent time inside Australian networks. Defenders stack products, assume the defaults are safe, and discover during an incident that the tool nearest the crown jewels also had the deepest privileges.

This is where regular penetration testing and red-team style security assessment earns its keep. Aurian's work is to rebuild these exploit chains in the environments clients actually run: Defender configurations, group policy, EDR telemetry, admin tiering, and show which controls break the chain and which merely rearrange the deck chairs. A patch deployed without validation is a tick in a box. A patch tested against the public exploit is evidence. That is the gap between cybersecurity compliance and cybersecurity assurance, and it is the gap where breaches happen.

BlueHammer will not be the last time a security product becomes a privileged attack path, and the two outstanding Defender bugs are unlikely to be the last zero-days disclosed before their patches ship. To find out how Aurian can help your organisation assess its exposure, get in touch.