Three Microsoft Defender Zero-Days Exploited Since April 10, Two Still Unpatched

Your antivirus may have quietly stopped updating itself, and nothing on your screen would tell you. Since April 10, 2026, attackers have been exploiting three zero-day vulnerabilities in Microsoft Defender. Microsoft patched one of them in the April Patch Tuesday release. The other two remain unpatched, and one of them, known as UnDefend, silently blocks Defender from downloading new threat definitions. That means Defender keeps running and looks normal, but it stops learning about new threats.

If your business relies on Microsoft Defender for endpoint protection, you need to verify that definition updates are still working. This post covers what happened, how to check your systems in five minutes, and what to ask your IT provider today.

Three Vulnerabilities, One Patch

Microsoft disclosed three Defender zero-days that have been actively exploited since at least April 10. Here is the current status of each:

BlueHammer (CVE-2026-33825) allows an attacker who already has access to a system to escalate their privileges. Microsoft patched this in the April cumulative update. If your endpoints are current on Windows updates, you are covered for this one.

RedSun is a separate privilege escalation vulnerability that also requires local access. Attackers who get an initial foothold on a workstation through phishing or stolen credentials can use RedSun to gain administrative access. No patch is available yet.

UnDefend is the one that should concern business owners most. It triggers a denial-of-service condition in Defender’s update mechanism, preventing the download of new virus definitions. Defender continues to run and scan files, but it only recognizes threats it knew about before the attack. Every new piece of malware released after that point goes undetected.

Why UnDefend Is the Biggest Risk for Small Businesses

Most SMBs use Microsoft Defender as their primary (and often only) endpoint protection. It ships with Windows, it integrates with Microsoft 365, and it works well when properly maintained. But that reliance becomes a single point of failure when the update mechanism is compromised.

According to reporting from Malwarebytes, security researchers have observed attackers running hands-on-keyboard reconnaissance commands like whoami /priv and net group "domain admins" on compromised systems. This indicates targeted, human-operated attacks rather than automated malware. Attackers are mapping out victim environments and escalating access deliberately.

The combination is dangerous: UnDefend freezes your antivirus definitions, and RedSun or other techniques give the attacker elevated access. Your endpoint protection is effectively blind while an attacker moves through your network with administrative privileges.

This affects both the free built-in version of Microsoft Defender and the paid Defender for Endpoint. The underlying update mechanism is the same.

The 5-Minute Self-Check

You do not need to wait for your IT provider to verify whether your systems are affected. Any employee with a Windows computer can check this in about five minutes.

On each Windows computer:

1. Click the Start menu and type “Windows Security,” then open the app
2. Select Virus & threat protection
3. Under “Virus & threat protection updates,” look for the “Last updated” date and time
4. If the date is more than 48 hours old, your definitions are stale

What a healthy system looks like: The “Last updated” timestamp should be within the last 24 hours. Defender downloads new definitions multiple times per day. If you see a date from last week, or worse, from April 10 or earlier, something is wrong.

What to do if definitions are stale:

• Click “Check for updates” in the Virus & threat protection updates section
• If the update fails or the date doesn’t change, do not ignore it. Report it to your IT team immediately
• Do not assume the computer is safe just because Defender shows a green checkmark. The checkmark means Defender is running, not that it has current definitions

If you manage more than a handful of computers, checking each one manually is not realistic. Your IT provider should be able to query definition update status across all endpoints remotely using Microsoft Intune, Microsoft Defender for Endpoint, or your endpoint detection and response platform.

What to Ask Your IT Provider This Week

Two of these three vulnerabilities have no patch yet. That means patching alone does not solve the problem. Your IT provider needs to be taking active steps to reduce your risk until Microsoft releases fixes for RedSun and UnDefend.

Here are the specific questions to ask:

1. Has the BlueHammer patch (CVE-2026-33825) been deployed to all our endpoints? The April cumulative update includes this fix. Any machine that hasn’t received the April Patch Tuesday update is still vulnerable. Ask for a compliance report showing deployment status across your fleet. If your organization manages patching with a tool like ConnectWise, your IT team should be able to pull this data quickly. For more on how automated patch management works, see our earlier post on the topic.

2. Are Defender definition updates flowing normally across all machines? Your IT provider should be able to check definition currency across every managed endpoint in minutes. If any machines show stale definitions, those need immediate investigation.

3. Are least-privilege policies enforced on user accounts? Both BlueHammer and RedSun are privilege escalation vulnerabilities. They are far less useful to an attacker if user accounts already have minimal permissions. If employees are running as local administrators, fixing that alone significantly reduces your exposure.

4. Are you monitoring for suspicious reconnaissance activity? Attackers exploiting these vulnerabilities have been observed running commands like whoami /priv and net group on compromised systems. These commands are unusual in normal business operations. Your IT provider’s managed security tools should be able to flag this kind of activity.

5. Do we have supplemental endpoint protection beyond Defender? When your primary security tool has known, unpatched vulnerabilities, layered defense matters. Solutions like SentinelOne or Bitdefender can run alongside Defender and catch threats that Defender might miss while its definitions are frozen. Ask your IT provider whether supplemental protection makes sense for your environment until Microsoft ships patches for the remaining two vulnerabilities.

6. Are you watching for an out-of-band patch from Microsoft? Given the severity of active exploitation with no available fix, Microsoft may release an emergency patch outside the normal monthly cycle. Your IT provider should be prepared to deploy it immediately when it arrives.

Patching Is Not the Whole Answer Here

With typical zero-day advisories, the guidance is straightforward: apply the patch, confirm deployment, move on. This situation is different because two of the three vulnerabilities cannot be patched yet. The only defenses available right now are monitoring, configuration hardening, and supplemental detection.

That makes this a good time to evaluate whether your organization’s security posture depends too heavily on a single tool. Microsoft Defender is a capable product, but when it has unpatched vulnerabilities that can silently disable its own updates, relying on it as your only layer of protection leaves a gap. A cybersecurity risk assessment can identify these kinds of single points of failure across your environment.

We will update this post when Microsoft releases patches for RedSun and UnDefend. In the meantime, verify your definition updates are current and have the conversation with your IT provider about the steps above.