Three actively exploited zero-day vulnerabilities have been identified in Microsoft Defender: BlueHammer (CVE-2026-33825), RedSun, and UnDefend. BlueHammer has been patched; RedSun and UnDefend remain unpatched. BlueHammer and RedSun are Local Privilege Escalation (LPE) flaws; UnDefend is a Denial-of-Service (DoS) flaw that blocks Defender updates. 

Exploitation began around April 10, 2026, with all three observed in active post-compromise campaigns. Attackers are executing reconnaissance commands (whoami /priv, cmdkey /list, net group), indicating hands-on-keyboard activity following initial access. 

CVE-2026-33825 is confirmed publicly exploited. The combination of LPE and defense evasion capabilities makes this critical: attackers can gain full administrative control, disable protections, and achieve persistent, undetected access. The patch gap for RedSun and UnDefend means organizations remain exposed even after applying the latest update cycle.

PTTs:

T1068 — Exploitation for Privilege Escalation

T1562.001 — Impair Defenses: Disable or Modify Tools

T1033 — System Owner/User Discovery

T1069 — Permission Groups Discovery

T1087 — Account Discovery

T1078 — Valid Accounts

Recommendations:

• Immediately apply the patch for CVE-2026-33825 (BlueHammer) across all managed endpoints.

• Implement detection rules for post-exploitation reconnaissance commands: whoami /priv, cmdkey /list, and net group.

• Alert on Defender update failures or abnormal Defender service behavior as a potential indicator of UnDefend exploitation.

• Restrict local administrative privileges using the principle of least privilege to limit the impact of LPE vulnerabilities.

Until patches are available for RedSun and UnDefend, apply compensating controls: enhanced logging, privileged access workstations (PAWs), and network segmentation.

CVE-2026-39808 is a critical OS command injection vulnerability affecting Fortinet FortiSandbox versions 4.4.0 through 4.4.8. The flaw resides in the /fortisandbox/job-detail/tracer-behavior endpoint, where unsanitized user input in the jid GET parameter allows an unauthenticated attacker to inject arbitrary OS commands using the pipe symbol (|), resulting in root-level remote code execution (RCE).

The vulnerability was discovered in November 2025 and patched and publicly disclosed by Fortinet in April 2026 under advisory FG-IR-26-100. A working proof-of-concept (PoC) exploit has since been published on GitHub by researcher samu-delucas, reducing the barrier to exploitation to a single curl command — requiring no authentication, no special tooling, and no prior knowledge of the target environment.

Public exploitation: The PoC is freely available. Active exploitation in the wild should be assumed and treated as imminent.

Potential impact: Full host compromise, sensitive file exfiltration, malware deployment, lateral movement from within sandbox infrastructure — a high-value target given FortiSandbox’s role in threat analysis pipelines.

TTPs:

T1190 – Exploit Public-Facing Application

T1059 – Command and Scripting Interpreter

T1068 – Exploitation for Privilege Escalation

T1105 – Ingress Tool Transfer

T1505 – Server Software Component

T1083 – File and Directory Discovery

Recommendations:

Immediately upgrade FortiSandbox to a version beyond 4.4.8 as per Fortinet advisory FG-IR-26-100; do not defer — a weaponized PoC is publicly available

Verify all deployed FortiSandbox instances and confirm version; prioritise internet-facing or management-accessible deployments

Apply network segmentation to restrict access to FortiSandbox administrative and management interfaces to trusted IP ranges only; these interfaces should never be exposed to untrusted networks or the public internet

Audit firewall rules and WAF policies to block or alert on GET requests containing pipe symbols (|) targeting the /fortisandbox/job-detail/tracer-behavior endpoint

Review access logs for suspicious GET requests to /fortisandbox/job-detail/tracer-behavior as indicators of active exploitation attempts

Implement monitoring and alerting for anomalous outbound connections or new file creation in the web root of FortiSandbox hosts

If patching is not immediately possible, consider taking vulnerable FortiSandbox instances offline or placing them behind strict access controls as a temporary mitigation

A SOCRadar threat intelligence assessment covering the month of the Iran-Israel/US war (Feb 28 – Mar 31, 2026) documents 1,357 verified cyber incidents across 25+ countries, 15+ sectors, and 40+ distinct threat actor groups. The campaign is structured across five phases with distinct threat profiles at each stage.

Phase 1 (Feb 28 – Mar 6): Kinetic strikes were immediately accompanied by cyber operations. Iranian government sites, IRNA, and IRGC-affiliated media were taken offline or defaced. Iran-aligned hacktivist coalitions formally organized on Telegram within 72 hours. OT/ICS intrusion claims appeared within 96 hours.

Phase 2 (Mar 7–15): Geographic expansion beyond Israel, The defining event was the Stryker Corporation attack on March 12, where Handala (MOIS-linked) abused Microsoft Intune administrator access to remotely wipe 200,000+ devices across 79 countries. Stryker filed an SEC 8-K confirming the incident. This demonstrated that a state-linked actor can leverage compromised cloud MDM infrastructure for destructive global impact against non-combatant civilian companies.

Phase 3 (Mar 16–31): Shift to persistent operations and reconnaissance. MuddyWater’s Dindoor and Fakeset Python implants were confirmed pre-planted in a U.S. bank, airport, defense-adjacent software firm, and NGOs before Feb 28. Geo-doxxing surged (59 incidents in Weeks 3–4), targeting nuclear facilities, offshore gas platforms, military airbases, and refineries. Jordan’s NCSC confirmed a thwarted APT attack on grain storage. Handala hacked FBI Director Kash Patel’s personal Gmail account. FBI seized Handala’s domain; Handala migrated within hours.

Phase 4 (Ongoing): Bifurcation point — either managed entrenchment (sustained espionage/coercion) or active escalation (activation of pre-positioned access into destructive operations). Pre-positioned implants remain resident regardless of ceasefire status.

TTPs:

T1498 – Network Denial of Service 

T1485 – Data Destruction 

T1078 – Valid Accounts 

T1059.006 – Command and Scripting Interpreter: Python 

T1133 – External Remote Services

T1567 – Exfiltration Over Web Service 

T1588.002 – Obtain Capabilities: Tool 

T1583.001 – Acquire Infrastructure: Domains 

T1071.001 – Application Layer Protocol: Web Protocols

T1595 – Active Scanning / Reconnaissance 

T1489 – Service Stop 

T1496 – Resource Hijacking / Defacement 

T1190 – Exploit Public-Facing Application

Recommendations:

•  Validate DDoS mitigation capacity on all public-facing portals and APIs and confirm upstream scrubbing coverage.

• Audit all Microsoft Intune and cloud MDM administrator accounts for unauthorized access; enforce MFA on all admin accounts without exception and review bulk device action logs for unauthorized mass wipe or factory reset commands

• Hunt for Dindoor and Fakeset implant indicators across all endpoints; prioritize banks, airports, defense-adjacent organizations, and NGOs

• Review and audit all outbound connections to GitHub and Google Drive originating from non-developer endpoints as potential C2 indicators

• Audit all installed RMM tools across client environments; remove or block Atera and ScreenConnect where not explicitly authorized

• Review all OAuth app grants in Microsoft 365 and Google Workspace tenancies for unauthorized third-party access

• For OT/ICS environments: immediately audit internet-facing PLCs, HMI panels, and SCADA systems; remove default vendor credentials and validate OT/IT network segmentation

• Conduct a full audit of IP camera and CCTV infrastructure; isolate camera networks from enterprise IT, change all default credentials, and patch against CVE-2023-6895 and CVE-2025-34067