Six Microsoft Defender Zero-Days in 90 Days: BlueHammer, RedSun, UnDefend, GreenPlasma, YellowKey, RoguePlanet — Three Exploited Before Patches, One Still Open Today

PATCH STATUS — July 1, 2026: BlueHammer (CVE-2026-33825) — Patched April 14 (Defender Platform 4.18.26040.1011+). CISA KEV. RedSun (CVE-2026-41091) — Patched. UnDefend (CVE-2026-45498) — Patched. GreenPlasma & YellowKey — Patched June Patch Tuesday. RoguePlanet (CVE-2026-50656)NO PATCH as of today. Works on fully patched Windows 10/11 with June 2026 cumulative update. Expected July Patch Tuesday or out-of-band update.

Immediate RoguePlanet mitigations: Enable ASR rules (block exploited signed drivers + block LSASS credential theft). Deploy WDAC or AppLocker to block unknown binaries. Remove local admin rights from standard users. Monitor for FunnyApp.exe, RedSun.exe, undef.exe, z.exe. Alert on Defender detection Exploit:Win32/DfndrPEBluHmr.BZ.
Windows security shield Microsoft Defender BlueHammer RoguePlanet CVE-2026-33825 zero-day Chaotic Eclipse 2026
Six zero-days in 90 days. Three exploited before patches existed. One still open today. Microsoft’s own security tool — installed on every Windows device by default — systematically dismantled by a single disgruntled researcher. | DataWater Threat Brief, July 1, 2026

Sources: SecurityWeek · Bleeping Computer · Picus Security · Rescana · CybelAngel · The Hacker News · Huntress · Threat-Modeling.com · CISA KEV Catalog | Researcher: Chaotic Eclipse / Nightmare Eclipse | Vulnerabilities: 6 total — BlueHammer, RedSun, UnDefend, GreenPlasma, YellowKey, RoguePlanet | Exploited in wild: CVE-2026-33825 · CVE-2026-41091 · CVE-2026-45498 | Unpatched: RoguePlanet (CVE-2026-50656) | CISA KEV: CVE-2026-33825 | CVSS BlueHammer: 7.8 | Affected: Windows 10, 11, Server 2016–2026

One disgruntled researcher. Six zero-days in 90 days. Three exploited before Microsoft issued patches. One still unpatched today.

Between April and June 2026, a security researcher operating under the aliases Chaotic Eclipse and Nightmare Eclipse published six zero-day exploits targeting Microsoft Defender and Windows core components in rapid succession — deliberately, publicly, and without prior coordination with Microsoft. Three were confirmed exploited in the wild before Microsoft issued patches. One — RoguePlanet — remains unpatched as of July 1, 2026, and works on fully updated Windows 10 and Windows 11 systems with the June 2026 cumulative update installed.

The story behind this campaign is as significant as the vulnerabilities themselves. Chaotic Eclipse alleges Microsoft’s Security Response Center mishandled their initial disclosures. When the researcher went public with BlueHammer, Microsoft responded with what the security community widely interpreted as legal threats — resulting in the takedown of the researcher’s GitHub and GitLab accounts. The result: a public feud that drove one of the most sustained sequences of weaponized Defender zero-day disclosures in Windows history, near-universal condemnation of Microsoft’s response from the security research community, and a live unpatched SYSTEM-level exploit affecting every Windows 10 and Windows 11 device on the planet today.

ExploitCVEMechanismPatch StatusWild Exploitation
BlueHammerCVE-2026-33825 (CVSS 7.8)TOCTOU in Defender update → NTFS junction redirect → SYSTEM write to System32✅ April 14, 2026 — Platform 4.18.26040.1011✅ April 10 — CISA KEV
UnDefendCVE-2026-45498Disrupts Defender definition updates — progressively degrades protection✅ Patched✅ Confirmed
RedSunCVE-2026-41091Alternative LPE via Defender cloud-tagged file handling → system path overwrite✅ Patched✅ Confirmed
GreenPlasmaTBDWindows component LPE✅ June 2026 Patch TuesdayUnknown
YellowKeyTBDWindows component LPE — Microsoft issued mitigation advisory before patch✅ June 2026 Patch TuesdayUnknown
RoguePlanetCVE-2026-50656 (CVSS 7.8)TOCTOU in Defender real-time scanner → SYSTEM shell on fully patched Win10/11🔴 NO PATCH — July PT expectedPoC public — exploitation expected

BlueHammer — how Defender’s own remediation logic became the attack

BlueHammer is a Time-of-Check to Time-of-Use (TOCTOU) race condition in Microsoft Defender’s file remediation engine. The technical chain, documented by Picus Security:

  1. Trigger a Defender detection — present a crafted file that Defender’s signature engine identifies as malicious and queues for remediation.
  2. Replace the file with a Windows Cloud Files API placeholder — a stub telling the filesystem the content is stored in the cloud.
  3. As Defender initiates its rollback process, use NTFS junctions and opportunistic locks (oplocks) to pause execution midway and redirect the target path.
  4. Redirect the rollback to C:\Windows\System32. Defender resumes, follows the redirected path, and writes attacker-controlled content with SYSTEM-level privileges.
  5. Overwrite a system binary — achieving SYSTEM-level code execution from an unprivileged standard user account.

Huntress observed the first in-the-wild attacks on April 10 — three days after the PoC dropped, four days before Microsoft’s patch. A community-improved fork with bug fixes and documentation circulated widely, further lowering the exploitation barrier. CISA added CVE-2026-33825 to its KEV catalog and ordered federal agencies to patch by May 6.

UnDefend + RedSun — degrade then escalate

The three exploits are designed to chain. UnDefend doesn’t grant immediate privilege — it silently disrupts Defender’s ability to update its threat definitions. Protection degrades gradually and invisibly over time. An attacker runs UnDefend first, waits for coverage to weaken, then runs BlueHammer or RedSun for SYSTEM access. By the time privilege escalation executes, Defender’s ability to detect subsequent attacker activity has been systematically reduced. All three were confirmed exploited in the wild before patches existed. All three are now patched.

RoguePlanet — the one still open today

Dropped June 10 — hours after Microsoft’s record 200-CVE Patch Tuesday — RoguePlanet targets a TOCTOU race condition in Defender’s real-time scanning engine. A successful exploit spawns a Windows command prompt running as NT AUTHORITY\SYSTEM — the highest privilege level available. From that shell: install software, modify or delete any file, create accounts, disable Defender itself, extract credentials from LSASS memory.

Security researcher Will Dormann confirmed it works: “reportedly not 100% reliable, but it worked on the first attempt for me.” It does not currently work against Windows Server — standard users cannot mount ISO images on Server, which the exploit requires. Chaotic Eclipse states Server is also vulnerable and the exploit needs redesigning for that environment. No patch exists as of July 1, 2026. Expected in July Patch Tuesday or an out-of-band update.

The disclosure feud — and why the security community sided with the researcher

Microsoft’s response to the BlueHammer publication was widely read as a legal threat. GitHub and GitLab removed the researcher’s repositories under pressure. The security community’s reaction was immediate and unified against Microsoft. Kevin Beaumont: “Microsoft is attempting to misuse its ownership of GitHub to protect only its own products, and misuse its extensive links to law enforcement by branding publishing information about vulnerabilities in its own products as criminal behaviour.”

Microsoft’s statement: “We have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.” The conditional framing was the problem — the security community read “malicious activity causing real harm” as a characterization of publishing vulnerability research. PCMag published “Microsoft Threatens Researcher Over Bug Reports, Triggers Cybersecurity Outcry.” Pushing Chaotic Eclipse off mainstream platforms drove them to a self-hosted repository outside Microsoft’s reach — and the disclosures continued. Chaotic Eclipse’s own statement in the RoguePlanet writeup: “Microsoft’s efforts to protect Defender from path redirection attacks are useless. I have a batch of memory corruption vulnerabilities in Defender as well and not to mention the other batch of vulnerabilities I have in several other components.”

The pattern: security tooling is 2026’s highest-value attack surface

The Chaotic Eclipse saga is the most sustained example of the pattern DataWater has documented all year: security tooling has become attackers’ highest-value target. A vulnerability in the security tool is more valuable than any application it protects because security tools run with elevated privileges by design, are trusted and exempted by every other security control, are universally deployed (Defender ships on every Windows device), and are the last line of defense — compromising them eliminates detection simultaneously with gaining access.

DataWater has tracked this arc across CVE-2026-20253 in Splunk Enterprise, CVE-2026-34926 in Trend Micro Apex One, FortiSandbox exploited alongside FortiBleed, and now six Defender zero-days. The Verizon DBIR 2026 identified security tooling exploitation as a top-five initial access vector for the first time. This is a deliberate attacker category shift, not a coincidence.

What to do right now

  1. Verify Defender platform version is 4.18.26040.1011 or later — patches BlueHammer:
    Get-MpComputerStatus | Select-Object AMProductVersion
  2. Apply June 2026 cumulative update — patches RedSun, UnDefend, GreenPlasma, YellowKey.
  3. For RoguePlanet (no patch):
    — Enable ASR rules: Block exploited signed drivers (56a863a9-875e-4185-98a7-b882c64b5ce5) + Block LSASS credential theft (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b0)
    — Deploy WDAC or AppLocker to block unknown binaries
    — Remove local administrator rights from standard user accounts
    — Monitor for unexpected NT AUTHORITY\SYSTEM spawns from Defender processes
  4. Alert on IOC binaries: FunnyApp.exe · RedSun.exe · undef.exe · z.exe · Defender detection Exploit:Win32/DfndrPEBluHmr.BZ
  5. Treat RoguePlanet patch as emergency priority the moment Microsoft releases it. Average time-to-exploit for public PoCs in 2026 is five days. Do not wait for standard patch cycles.
  6. Verify third-party AV deployments — Defender components often remain active in passive mode even when another vendor is primary scanner. Confirm your Defender exposure regardless of what AV is listed as primary.

Sources and further reading


DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #37 — July 1, 2026. Previous: Claude Code Reverse Shell — Mozilla 0DIN (July 1) · Device Code Phishing 37x Spike (June 29) · CVE-2026-46331 pedit COW (June 28). Browse the full threat brief archive →

Similar Posts