Over 1 billion Windows users at risk after disgruntled security researcher leaks Defender zero-days

Even though those constant notifications can be annoying, having Windows 11’s built-in antivirus, Microsoft Defender, is ultimately a lifesaver. But what if the very software designed to protect your PC could be tricked into attacking it?

This is exactly what’s happening with three dangerous new zero-day flaws.

As reported by BleepingComputer, a disgruntled security researcher recently went public with the vulnerabilities. Posting under the alias Chaotic Eclipse, the researcher leaked the exploits as a direct protest against how the Microsoft Security Response Center (MSRC) handles bug disclosures. Essentially, he decided that if Microsoft wouldn't listen to his private warnings, he’d let the rest of the world see the code for itself.

Unlike a standard bug, these "zero-days" are a massive headache because there isn’t a patch available yet — leaving even the best Windows laptops and desktops vulnerable to active attacks.

Here’s everything you need to know about the BlueHammer, RedSun, and UnDefend vulnerabilities and, more importantly, how to stay safe until a fix arrives.

Already exploited in the wild

When it comes to these now disclosed zero-days, BlueHammer and RedSun are local privilege escalation flaws that affect Microsoft Defender. This means that in order to exploit them, a hacker would need direct, physical access to your Windows laptop or PC. Meanwhile, the third zero-day, dubbed UnDefend, can be exploited as a standard user to block Microsoft Defender’s own updates.

In a post on X, the cybersecurity firm Huntress revealed that it had already seen reports of all three zero-days being actively exploited in the wild. When dangerous zero-days fell right into their lap, cybercriminals wasted no time weaponizing them against vulnerable Windows systems.

Fortunately, Microsoft patched the BlueHammer vulnerability (now tracked as CVE-2026-33825) in its April 2026 security updates. In fact, yesterday, I noticed that two of the best mini PCs at my home had restarted out of the blue after automatically installing this update on their own.

It’s not all good news though as, at the time of writing, the RedSun and UnDefend vulnerabilities remain unpatched. Of the two, RedSun is particularly dangerous since it can be exploited to gain SYSTEM privileges on both Windows 10 and Windows 11.

The researcher provided further insight on just what his RedSun exploit is capable of in a post on Microsoft’s own GitHub, saying:

"When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to its original location. The PoC abuses this behaviour to overwrite system files and gain administrative privileges."

Essentially, if a malicious file has this 'cloud tag,' Microsoft Defender gets confused. Instead of deleting the threat, it actually copies the virus back onto your hard drive into a restricted system folder. Since the antivirus software is the one doing the moving, the computer doesn't double-check it — giving the virus 'Admin' powers to take over your entire PC. With admin-level privileges, it can now delete files, install spyware or even lock you out of your own computer.

How to keep your Windows PC safe

In order to stay protected from these three new Microsoft Defender zero-days, the first and most important thing you should do is to install Microsoft’s April 2026 security updates ASAP. This won’t patch all three flaws but it will protect you from any attacks exploiting the BlueHammer vulnerability.

As for the other two vulnerabilities, you’re just going to have to wait until Microsoft addresses them. Given the threat they pose, you’re going to want to regularly check for updates by going to Settings > Windows Update > Check for updates. When a fix arrives, you should install it as soon as you can to prevent falling victim to any attacks leveraging these new zero-days.

Although Microsoft Defender has improved significantly over the years, in this case, you may also want to turn to the best antivirus software for additional protection. Unlike Windows’ built-in security software, paid antivirus solutions are updated more frequently and they can help fill in any gaps in your protection. Many of them also include useful extras like access to a VPN, password manager and even cloud backup.

As for that disgruntled security researcher, his days of collecting bug bounties from Microsoft are certainly over. For the rest of us though, it’s just a waiting game until the software giant fully patches the remaining two zero-day flaws.

Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.

More from Tom's Guide

• 108 malicious Chrome extensions found stealing data and injecting ads into every page you visit — delete them right now
• Comcast is paying $117 million in data breach settlement — how to file your claim and how much you could get
• Dangerous new NoVoice Android malware could be undeletable on older phones — check your settings right now