Your Antivirus Is the Exploit

On April 10, analysts at Huntress flagged something that doesn't belong in any normal Windows log: whoami /priv, cmdkey /list, net group — classic post-exploitation enumeration commands — running under a process that had just reached SYSTEM privilege by turning Microsoft Defender's own file-handling logic against the machine. That was BlueHammer. It had been in the wild for six days at that point. Microsoft patched it four days later.

The problem is that on April 16, the same researcher dropped two more.

Both of those are still unpatched as of today.

Three Bugs, One Researcher, All Active

A researcher known as Chaotic Eclipse publicly released a working exploit on April 3, 2026, after what they described as an inadequate response from Microsoft's vulnerability disclosure process. That exploit targets CVE-2026-33825, the flaw publicly named BlueHammer — confirmed by analysts at Picus Security, Field Effect, and Cyderes as a TOCTOU (time-of-check, time-of-use) race condition in Windows Defender's file remediation and signature-update mechanism.

The attack chain is worth understanding in full, because it's not brute force — it's a careful abuse of how Defender interacts with the Windows shadow copy infrastructure.

Here's how BlueHammer works:

1. The attacker uses Cloud Files callbacks combined with opportunistic locks to freeze Defender at a precise moment during a VSS snapshot workflow — specifically while a Volume Shadow Copy remains mounted and accessible.
2. In that frozen window, the VSS snapshot's device path exposes the SAM, SYSTEM, and SECURITY registry hives. Normally these files are locked by the OS against unprivileged access. Via the snapshot device path, they're readable.
3. From the SAM hive, the exploit recovers the local machine's boot key, decrypts LSA secrets, and extracts NTLM password hashes for local accounts.
4. With a hash recovered, it calls SamiChangePasswordUser to reset a local Administrator account's password, authenticates with that account, and registers a malicious Windows service.
5. The service executes a cmd.exe instance running as NT AUTHORITY\SYSTEM.
6. Before finishing, the exploit restores the original password hash to reduce forensic visibility.

The attack requires an existing local foothold — you need to be logged in or have a session on the machine before any of this runs. That sounds like a meaningful constraint until you remember that a phishing email landing an infostealer is the standard first step for most criminal intrusions. Local access is the starting point for half the post-exploitation chains in use today, not a barrier to entry.

Huntress observed active exploitation starting April 10 — six days after the PoC hit GitHub, four days before Microsoft released a fix. The specific post-exploitation commands they logged are worth dwelling on: whoami /priv checks what token privileges the current session holds (did escalation work?), cmdkey /list inventories stored Windows credentials (what else can I authenticate to?), net group maps domain group memberships (who am I dealing with?). This is hands-on-keyboard behavior from a real operator on a freshly compromised machine, not automated scanning.

Microsoft patched BlueHammer on April 14 via a direct Defender antimalware platform update — version 4.18.26030.3011 — delivered through Windows Update outside the standard Patch Tuesday cycle. Fast by Microsoft's standards. Still four days too slow.

Then on April 16, Chaotic Eclipse published the other two.

RedSun is another local privilege escalation vulnerability in the same platform. Vulnerability analyst Will Dormann tested and confirmed the PoC is effective. No CVE has been assigned. No patch exists. The technical details of RedSun's mechanism haven't been fully disclosed publicly, but Dormann's confirmation means it works on real systems.

UnDefend is structurally different, and I'd argue it's the more dangerous of the two in terms of attack potential. It doesn't directly grant SYSTEM privileges. Instead, it allows a standard user to block Defender from receiving signature updates — or to disable Defender entirely if Microsoft pushes a major platform update. That sounds less dramatic than an immediate LPE, but think about how you'd chain it: UnDefend first to blind the antivirus, then RedSun to escalate to SYSTEM. You now have full control of a machine whose security software can no longer see new threat signatures and can't defend itself against whatever you deploy next.

Help Net Security reported on April 17 that all three vulnerabilities are now being actively exploited in the wild. One is patched. Two are not.

Why Security Software Running as SYSTEM Is Always a Liability

Antivirus products occupy an uncomfortable position in system architecture. To catch rootkits, intercept file system calls, and inspect process memory, they need the deepest possible access to the OS. That means high privilege. Multiple Defender components run as SYSTEM or as Protected Process Light (PPL), and that's not a configuration error — it's the only way the software can do what it's supposed to do.

The trade-off is that every vulnerability in that high-privilege code is a vulnerability running with the maximum trust the OS can grant. A bug in your browser's PDF renderer gives an attacker browser-level access. A bug in Defender's remediation logic gives an attacker SYSTEM.

This isn't a new insight. Researchers have found LPE vulnerabilities in virtually every major antivirus product — in scanning engines, kernel drivers, update mechanisms, quarantine handlers. AVG, Symantec, Trend Micro, Kaspersky, and Microsoft have all shipped high-privilege bugs over the years. The specific problem with the current Defender situation is the nature of the attack surface: it's the update and shadow copy logic, which runs on a predictable schedule, which an attacker on the machine can anticipate and interact with.

The TOCTOU class of bug is particularly common in security software because remediation workflows inherently involve checking a file's state, doing something about it, and relying on that state not having changed in between. Race conditions live in those gaps. Defender apparently has multiple such gaps, not just one.

The unpatched state of RedSun and UnDefend is the part that should concern you most today. Microsoft has referenced coordinated vulnerability disclosure policy in its public statements but has not committed to a timeline. Chaotic Eclipse appears to have released these publicly because the initial disclosure response was inadequate. Whether that's a proportionate response depends on your view of disclosure ethics. What's not debatable is that both PoCs are now public, functional, and being used by real attackers.

There's also a secondary consideration: the SNEK project independently reimplemented BlueHammer as SNEK_BlueWarHammer.exe — with full Visual Studio 2022 build instructions and precompiled binaries. The number of people capable of weaponizing this exploit is no longer limited to people who can read a raw PoC.

What To Do

For individual Windows users:

1. Check your Defender platform version. Open Windows Security → Virus & threat protection → Protection updates → Antimalware Client Version. It should be 4.18.26030.3011 or later. If it's not, click "Check for updates" immediately. This covers BlueHammer (CVE-2026-33825).

2. Verify Tamper Protection is on. In Windows Security → Virus & threat protection settings, Tamper Protection should be toggled on. This is the strongest available control against UnDefend: it prevents unauthorized processes from changing Defender settings, including update configuration. It should be on by default in Windows 11, but confirm it.

3. Run Windows Update fully. This week's Patch Tuesday also fixed CVE-2026-32201, an actively exploited SharePoint Server spoofing flaw, and CVE-2026-34621, an 8.6-CVSS prototype pollution zero-day in Adobe Acrobat being exploited since December 2025. Don't just update Defender — patch the full system.

4. Watch for an out-of-band patch. Microsoft is under real pressure to release emergency fixes for RedSun and UnDefend before the next Patch Tuesday. Monitor your Defender platform version. In PowerShell, run Get-MpComputerStatus and check the AMProductVersion field. If it bumps in the next week, something was silently patched.

For admins and IT teams:

5. Confirm Protected Process Light is active. PPL significantly raises the bar for TOCTOU and memory-access attacks against Defender components by restricting which processes can open handles to Defender with write access. Check HKLM\SYSTEM\CurrentControlSet\Services\WinDefend for the PPLMode value. This is configurable via Intune or Group Policy and should be enabled on all managed endpoints.

6. Build detection rules around the observed attack chain. BlueHammer generates specific artifacts. Monitor for: Event ID 7045 (new service installed) in the System log, Event ID 4624 (logon) from LSASS involving local administrator accounts you don't expect to see active, and process access events where non-backup software touches \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy* device paths. That last one is unusual enough that it should fire an alert in most EDR configurations.

7. Audit local administrator accounts. The BlueHammer chain relies on resetting a local admin account's password and authenticating with it. If your Windows estate doesn't use LAPS (Local Administrator Password Solution) to randomize local admin passwords per-machine, now is a good time to deploy it. Consistent local admin passwords across a fleet are an enormous force multiplier for lateral movement after this kind of exploit.

8. Reduce interactive logon surface. These vulnerabilities all require a local foothold. Every policy that limits local logon reduces the blast radius: no interactive logon on servers, RDP restricted to jump hosts, no persistent interactive sessions on workstations for service accounts. Standard stuff, but it matters here.

The Closer

There's something illustrative about the disclosure timeline. BlueHammer was publicly released because the researcher felt the private disclosure process wasn't moving fast enough. Two more zero-days followed the moment the first one was patched. The message, delivered in executable form, is that there's more to find.

That's not a threat — it's probably true. Defender's interaction with VSS, Cloud Files callbacks, and its remediation-and-update logic represents a complex set of privileged operations that run on a predictable schedule on every Windows machine. TOCTOU bugs live in exactly these kinds of time-sensitive, high-privilege workflows. Finding one often means there are others nearby.

Microsoft runs some of the best security research talent in the world internally. They'll find and fix the remaining issues. But the window between "PoC on GitHub" and "patch in Windows Update" is measured in days, and attackers are operating in that window right now.

The deeper issue is structural. Your antivirus is software. It has bugs. Some of those bugs run as SYSTEM. Treating your security tooling as inherently trustworthy — never patching it, never monitoring it, never auditing its attack surface — is the same mistake we've been making with firewalls and VPNs for fifteen years. The software that's supposed to catch intrusions has to be on the list of things you're monitoring for intrusions.

Sources: Help Net Security, The Hacker News, BleepingComputer, SecurityWeek, RH-ISAC, Cyderes, Picus Security, CISA KEV