Three actively exploited zero-day vulnerabilities have been identified in Microsoft Defender: BlueHammer (CVE-2026-33825), RedSun, and UnDefend. BlueHammer has been patched; RedSun and UnDefend remain unpatched. BlueHammer and RedSun are Local Privilege Escalation (LPE) flaws; UnDefend is a Denial-of-Service (DoS) flaw that blocks Defender updates. 

Exploitation began around April 10, 2026, with all three observed in active post-compromise campaigns. Attackers are executing reconnaissance commands (whoami /priv, cmdkey /list, net group), indicating hands-on-keyboard activity following initial access. 

CVE-2026-33825 is confirmed publicly exploited. The combination of LPE and defense evasion capabilities makes this critical: attackers can gain full administrative control, disable protections, and achieve persistent, undetected access. The patch gap for RedSun and UnDefend means organizations remain exposed even after applying the latest update cycle.

PTTs:

T1068 — Exploitation for Privilege Escalation

T1562.001 — Impair Defenses: Disable or Modify Tools

T1033 — System Owner/User Discovery

T1069 — Permission Groups Discovery

T1087 — Account Discovery

T1078 — Valid Accounts

Recommendations:

• Immediately apply the patch for CVE-2026-33825 (BlueHammer) across all managed endpoints.

• Implement detection rules for post-exploitation reconnaissance commands: whoami /priv, cmdkey /list, and net group.

• Alert on Defender update failures or abnormal Defender service behavior as a potential indicator of UnDefend exploitation.

• Restrict local administrative privileges using the principle of least privilege to limit the impact of LPE vulnerabilities.

Until patches are available for RedSun and UnDefend, apply compensating controls: enhanced logging, privileged access workstations (PAWs), and network segmentation.

CVE-2026-39808 is a critical OS command injection vulnerability affecting Fortinet FortiSandbox versions 4.4.0 through 4.4.8. The flaw resides in the /fortisandbox/job-detail/tracer-behavior endpoint, where unsanitized user input in the jid GET parameter allows an unauthenticated attacker to inject arbitrary OS commands using the pipe symbol (|), resulting in root-level remote code execution (RCE).

The vulnerability was discovered in November 2025 and patched and publicly disclosed by Fortinet in April 2026 under advisory FG-IR-26-100. A working proof-of-concept (PoC) exploit has since been published on GitHub by researcher samu-delucas, reducing the barrier to exploitation to a single curl command — requiring no authentication, no special tooling, and no prior knowledge of the target environment.

Public exploitation: The PoC is freely available. Active exploitation in the wild should be assumed and treated as imminent.

Potential impact: Full host compromise, sensitive file exfiltration, malware deployment, lateral movement from within sandbox infrastructure — a high-value target given FortiSandbox’s role in threat analysis pipelines.

TTPs:

T1190 – Exploit Public-Facing Application

T1059 – Command and Scripting Interpreter

T1068 – Exploitation for Privilege Escalation

T1105 – Ingress Tool Transfer

T1505 – Server Software Component

T1083 – File and Directory Discovery

Recommendations:

Immediately upgrade FortiSandbox to a version beyond 4.4.8 as per Fortinet advisory FG-IR-26-100; do not defer — a weaponized PoC is publicly available

Verify all deployed FortiSandbox instances and confirm version; prioritise internet-facing or management-accessible deployments

Apply network segmentation to restrict access to FortiSandbox administrative and management interfaces to trusted IP ranges only; these interfaces should never be exposed to untrusted networks or the public internet

Audit firewall rules and WAF policies to block or alert on GET requests containing pipe symbols (|) targeting the /fortisandbox/job-detail/tracer-behavior endpoint

Review access logs for suspicious GET requests to /fortisandbox/job-detail/tracer-behavior as indicators of active exploitation attempts

Implement monitoring and alerting for anomalous outbound connections or new file creation in the web root of FortiSandbox hosts

If patching is not immediately possible, consider taking vulnerable FortiSandbox instances offline or placing them behind strict access controls as a temporary mitigation