Six Microsoft Defender Zero-Days in 90 Days: BlueHammer, RedSun, UnDefend, GreenPlasma, YellowKey, RoguePlanet — Three Exploited Before Patches, One Still Open Today
Immediate RoguePlanet mitigations: Enable ASR rules (block exploited signed drivers + block LSASS credential theft). Deploy WDAC or AppLocker to block unknown binaries. Remove local admin rights from standard users. Monitor for
FunnyApp.exe, RedSun.exe, undef.exe, z.exe. Alert on Defender detection Exploit:Win32/DfndrPEBluHmr.BZ.Sources: SecurityWeek · Bleeping Computer · Picus Security · Rescana · CybelAngel · The Hacker News · Huntress · Threat-Modeling.com · CISA KEV Catalog | Researcher: Chaotic Eclipse / Nightmare Eclipse | Vulnerabilities: 6 total — BlueHammer, RedSun, UnDefend, GreenPlasma, YellowKey, RoguePlanet | Exploited in wild: CVE-2026-33825 · CVE-2026-41091 · CVE-2026-45498 | Unpatched: RoguePlanet (CVE-2026-50656) | CISA KEV: CVE-2026-33825 | CVSS BlueHammer: 7.8 | Affected: Windows 10, 11, Server 2016–2026
One disgruntled researcher. Six zero-days in 90 days. Three exploited before Microsoft issued patches. One still unpatched today.
Between April and June 2026, a security researcher operating under the aliases Chaotic Eclipse and Nightmare Eclipse published six zero-day exploits targeting Microsoft Defender and Windows core components in rapid succession — deliberately, publicly, and without prior coordination with Microsoft. Three were confirmed exploited in the wild before Microsoft issued patches. One — RoguePlanet — remains unpatched as of July 1, 2026, and works on fully updated Windows 10 and Windows 11 systems with the June 2026 cumulative update installed.
The story behind this campaign is as significant as the vulnerabilities themselves. Chaotic Eclipse alleges Microsoft’s Security Response Center mishandled their initial disclosures. When the researcher went public with BlueHammer, Microsoft responded with what the security community widely interpreted as legal threats — resulting in the takedown of the researcher’s GitHub and GitLab accounts. The result: a public feud that drove one of the most sustained sequences of weaponized Defender zero-day disclosures in Windows history, near-universal condemnation of Microsoft’s response from the security research community, and a live unpatched SYSTEM-level exploit affecting every Windows 10 and Windows 11 device on the planet today.
| Exploit | CVE | Mechanism | Patch Status | Wild Exploitation |
|---|---|---|---|---|
| BlueHammer | CVE-2026-33825 (CVSS 7.8) | TOCTOU in Defender update → NTFS junction redirect → SYSTEM write to System32 | ✅ April 14, 2026 — Platform 4.18.26040.1011 | ✅ April 10 — CISA KEV |
| UnDefend | CVE-2026-45498 | Disrupts Defender definition updates — progressively degrades protection | ✅ Patched | ✅ Confirmed |
| RedSun | CVE-2026-41091 | Alternative LPE via Defender cloud-tagged file handling → system path overwrite | ✅ Patched | ✅ Confirmed |
| GreenPlasma | TBD | Windows component LPE | ✅ June 2026 Patch Tuesday | Unknown |
| YellowKey | TBD | Windows component LPE — Microsoft issued mitigation advisory before patch | ✅ June 2026 Patch Tuesday | Unknown |
| RoguePlanet | CVE-2026-50656 (CVSS 7.8) | TOCTOU in Defender real-time scanner → SYSTEM shell on fully patched Win10/11 | 🔴 NO PATCH — July PT expected | PoC public — exploitation expected |
BlueHammer — how Defender’s own remediation logic became the attack
BlueHammer is a Time-of-Check to Time-of-Use (TOCTOU) race condition in Microsoft Defender’s file remediation engine. The technical chain, documented by Picus Security:
- Trigger a Defender detection — present a crafted file that Defender’s signature engine identifies as malicious and queues for remediation.
- Replace the file with a Windows Cloud Files API placeholder — a stub telling the filesystem the content is stored in the cloud.
- As Defender initiates its rollback process, use NTFS junctions and opportunistic locks (oplocks) to pause execution midway and redirect the target path.
- Redirect the rollback to
C:\Windows\System32. Defender resumes, follows the redirected path, and writes attacker-controlled content with SYSTEM-level privileges. - Overwrite a system binary — achieving SYSTEM-level code execution from an unprivileged standard user account.
Huntress observed the first in-the-wild attacks on April 10 — three days after the PoC dropped, four days before Microsoft’s patch. A community-improved fork with bug fixes and documentation circulated widely, further lowering the exploitation barrier. CISA added CVE-2026-33825 to its KEV catalog and ordered federal agencies to patch by May 6.
UnDefend + RedSun — degrade then escalate
The three exploits are designed to chain. UnDefend doesn’t grant immediate privilege — it silently disrupts Defender’s ability to update its threat definitions. Protection degrades gradually and invisibly over time. An attacker runs UnDefend first, waits for coverage to weaken, then runs BlueHammer or RedSun for SYSTEM access. By the time privilege escalation executes, Defender’s ability to detect subsequent attacker activity has been systematically reduced. All three were confirmed exploited in the wild before patches existed. All three are now patched.
RoguePlanet — the one still open today
Dropped June 10 — hours after Microsoft’s record 200-CVE Patch Tuesday — RoguePlanet targets a TOCTOU race condition in Defender’s real-time scanning engine. A successful exploit spawns a Windows command prompt running as NT AUTHORITY\SYSTEM — the highest privilege level available. From that shell: install software, modify or delete any file, create accounts, disable Defender itself, extract credentials from LSASS memory.
Security researcher Will Dormann confirmed it works: “reportedly not 100% reliable, but it worked on the first attempt for me.” It does not currently work against Windows Server — standard users cannot mount ISO images on Server, which the exploit requires. Chaotic Eclipse states Server is also vulnerable and the exploit needs redesigning for that environment. No patch exists as of July 1, 2026. Expected in July Patch Tuesday or an out-of-band update.
The disclosure feud — and why the security community sided with the researcher
Microsoft’s response to the BlueHammer publication was widely read as a legal threat. GitHub and GitLab removed the researcher’s repositories under pressure. The security community’s reaction was immediate and unified against Microsoft. Kevin Beaumont: “Microsoft is attempting to misuse its ownership of GitHub to protect only its own products, and misuse its extensive links to law enforcement by branding publishing information about vulnerabilities in its own products as criminal behaviour.”
Microsoft’s statement: “We have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.” The conditional framing was the problem — the security community read “malicious activity causing real harm” as a characterization of publishing vulnerability research. PCMag published “Microsoft Threatens Researcher Over Bug Reports, Triggers Cybersecurity Outcry.” Pushing Chaotic Eclipse off mainstream platforms drove them to a self-hosted repository outside Microsoft’s reach — and the disclosures continued. Chaotic Eclipse’s own statement in the RoguePlanet writeup: “Microsoft’s efforts to protect Defender from path redirection attacks are useless. I have a batch of memory corruption vulnerabilities in Defender as well and not to mention the other batch of vulnerabilities I have in several other components.”
The pattern: security tooling is 2026’s highest-value attack surface
The Chaotic Eclipse saga is the most sustained example of the pattern DataWater has documented all year: security tooling has become attackers’ highest-value target. A vulnerability in the security tool is more valuable than any application it protects because security tools run with elevated privileges by design, are trusted and exempted by every other security control, are universally deployed (Defender ships on every Windows device), and are the last line of defense — compromising them eliminates detection simultaneously with gaining access.
DataWater has tracked this arc across CVE-2026-20253 in Splunk Enterprise, CVE-2026-34926 in Trend Micro Apex One, FortiSandbox exploited alongside FortiBleed, and now six Defender zero-days. The Verizon DBIR 2026 identified security tooling exploitation as a top-five initial access vector for the first time. This is a deliberate attacker category shift, not a coincidence.
What to do right now
- Verify Defender platform version is 4.18.26040.1011 or later — patches BlueHammer:
Get-MpComputerStatus | Select-Object AMProductVersion - Apply June 2026 cumulative update — patches RedSun, UnDefend, GreenPlasma, YellowKey.
- For RoguePlanet (no patch):
— Enable ASR rules: Block exploited signed drivers (56a863a9-875e-4185-98a7-b882c64b5ce5) + Block LSASS credential theft (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0)
— Deploy WDAC or AppLocker to block unknown binaries
— Remove local administrator rights from standard user accounts
— Monitor for unexpectedNT AUTHORITY\SYSTEMspawns from Defender processes - Alert on IOC binaries:
FunnyApp.exe·RedSun.exe·undef.exe·z.exe· Defender detectionExploit:Win32/DfndrPEBluHmr.BZ - Treat RoguePlanet patch as emergency priority the moment Microsoft releases it. Average time-to-exploit for public PoCs in 2026 is five days. Do not wait for standard patch cycles.
- Verify third-party AV deployments — Defender components often remain active in passive mode even when another vendor is primary scanner. Confirm your Defender exposure regardless of what AV is listed as primary.
Related DataWater Coverage
- → CVE-2026-20253: Splunk Enterprise CVSS 9.8 — Your SIEM as Attack Surface: CISA 3-Day Federal Deadline
- → CVE-2026-34926: Trend Micro Apex One — Endpoint Security Tool as Attack Vector, CISA KEV
- → Microsoft June 2026 Patch Tuesday — Record 200 CVEs, RoguePlanet Drops Hours Later
- → CVE-2026-46331 pedit COW — Linux Parallel: Kernel LPE with Detection Blind Spots
- → FortiBleed + FortiSandbox — Security Analysis Platform Also Exploited
- → Verizon DBIR 2026 — Security Tooling Exploitation as Top-Five Initial Access Vector for First Time
- → Browse the full DataWater threat archive →
Sources and further reading
- Bleeping Computer — CISA Orders Feds to Patch Microsoft Defender Flaw Exploited in Zero-Day Attacks
- SecurityWeek — Recent Microsoft Defender Vulnerability Exploited as Zero-Day (BlueHammer)
- SecurityWeek — Microsoft Working on Patch for RoguePlanet Zero-Day
- The Hacker News — Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
- Picus Security — BlueHammer & RedSun: Windows Defender CVE-2026-33825 Zero-Day Explained
- CybelAngel — RoguePlanet: 7 Things Security Teams Need to Know Right Now
- Rescana — Active Exploitation Alert: Microsoft Defender Zero-Days Trigger Global Backlash
DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #37 — July 1, 2026. Previous: Claude Code Reverse Shell — Mozilla 0DIN (July 1) · Device Code Phishing 37x Spike (June 29) · CVE-2026-46331 pedit COW (June 28). Browse the full threat brief archive →
