NewsNukem
vulnerabilities

Three Microsoft Defender zero-days actively exploited; two still unpatched

April 18, 20266 min read2 sources
Share:
Three Microsoft Defender zero-days actively exploited; two still unpatched

Introduction

Security researchers at Huntress have issued a stark warning about the active, in-the-wild exploitation of three critical zero-day vulnerabilities in Microsoft Defender. In a troubling development, the very tool designed to be the first line of defense on millions of Windows systems has become a pathway for attackers to gain complete control. The flaws, dubbed BlueHammer, RedSun, and UnDefend, were publicly disclosed by a researcher known as Chaotic Eclipse, and threat actors have wasted no time weaponizing them.

While Microsoft has managed to issue a patch for one of the vulnerabilities, BlueHammer, the other two—RedSun and UnDefend—remain unpatched, leaving a massive number of systems exposed to privilege escalation attacks. This situation creates a perilous window of opportunity for adversaries who have already established an initial foothold in a target network.

Technical background: From defender to attacker

All three vulnerabilities are classified as Local Privilege Escalation (LPE) flaws. This means they cannot be used for initial entry into a system. Instead, they are leveraged by an attacker who has already gained low-level access, perhaps through a phishing email or a different software vulnerability. Once inside, the attacker uses these Defender exploits to elevate their permissions to NT AUTHORITY\SYSTEM—the highest level of privilege on a Windows system.

According to the technical details released and subsequent analysis, the vulnerabilities target different components of the Defender suite:

  • BlueHammer (Patched - CVE-2026-XXXXX): This was a race condition vulnerability. In simplified terms, an attacker could trick Defender during a file scan, exploiting a tiny window of time between when Defender checked a file's permissions and when it performed an action on it. This allowed the attacker to inject malicious code that would be executed with Defender's elevated privileges. Microsoft addressed this in an out-of-band security update.
  • RedSun (Unpatched - CVE-2026-YYYYY): This is a more direct arbitrary file write vulnerability. A core Defender service running as SYSTEM can be manipulated to write a file to any location on the disk. Attackers are reportedly using this to drop a malicious DLL into a trusted system directory. When the system reboots or a specific service restarts, that malicious DLL is loaded and executed with SYSTEM rights.
  • UnDefend (Unpatched - CVE-2026-ZZZZZ): The most technically complex of the trio, UnDefend is a memory corruption flaw, likely a use-after-free, within the engine that handles real-time protection. By feeding a specially crafted file to the scanner, an attacker can corrupt the memory of the Defender process (`MsMpEng.exe`) and achieve arbitrary code execution within that high-privilege context.

The swift weaponization of these flaws after their public disclosure highlights a persistent tension within the security community regarding responsible versus full disclosure. While the researcher cited frustrations with Microsoft's response time, the immediate outcome has been the arming of threat actors with potent new tools (The Hacker News, 2026).

Impact assessment: A foundational trust broken

The impact of these vulnerabilities is severe and widespread. Microsoft Defender is the default antivirus and endpoint protection solution on all modern versions of Windows, including Windows 10, Windows 11, and Windows Server. This ubiquity means the attack surface is enormous, spanning consumer laptops, corporate workstations, and critical infrastructure servers.

An attacker who successfully exploits RedSun or UnDefend gains total control over the compromised machine. From this position, they can:

  • Disable or manipulate security logs and other security tools to hide their tracks.
  • Deploy ransomware across the network.
  • Install persistent backdoors or rootkits that survive reboots.
  • Steal credentials from memory using tools like Mimikatz to facilitate lateral movement to other systems.
  • Exfiltrate sensitive corporate or personal data.

For organizations, this is a worst-case scenario. A security product is built on trust. When that product contains unpatched, actively exploited vulnerabilities, it not only fails to protect the system but actively aids in its compromise. Huntress reports that its Security Operations Center has already observed these exploits being used by multiple threat actors as part of post-exploitation toolkits, indicating that the techniques are already being integrated into standard attack chains.

How to protect yourself

With two of the three vulnerabilities still unpatched, defense requires a multi-layered strategy focused on patching what is possible and detecting what is not. Organizations and individuals should take the following steps immediately.

  1. Apply the BlueHammer Patch: The first and most urgent step is to ensure all systems have received the security update that addresses BlueHammer (CVE-2026-XXXXX). Check for and install all available Windows Updates immediately.
  2. Monitor for Indicators of Compromise (IOCs): Since RedSun and UnDefend cannot be patched yet, the focus must shift to detection. Security teams should configure their monitoring tools to look for signs of exploitation. This includes:
    • Unusual child processes spawning from Defender's core process, `MsMpEng.exe`, or its EDR component, `MsSense.exe`.
    • Suspicious file writes to system directories like `C:\Windows\System32`, especially by processes that should not be doing so.
    • Unexpected crashes or restarts of the Microsoft Defender service.
    • Changes to Defender's registry keys or exclusions that were not made by an administrator.
  3. Enforce the Principle of Least Privilege (PoLP): These exploits require an initial compromise. By ensuring that user accounts and applications run with the minimum permissions necessary, you limit an attacker's ability to execute the exploit code in the first place. Avoid using administrative accounts for daily tasks.
  4. Layer Your Defenses: This incident proves that relying on a single security product is a fragile strategy. Employ a defense-in-depth approach. This includes robust network monitoring, strict firewall rules, and application control policies that prevent unauthorized software from running. Protecting network traffic with a VPN service can also add a layer of encryption, making it harder for attackers to exfiltrate data undetected.
  5. Keep Defender Definitions Updated: While a full patch for the engine is not yet available, Microsoft can push updated detection signatures through its regular definition updates. These may be able to identify and block the publicly known exploit tools, providing a temporary mitigation. Ensure your Defender anti-malware platform and definitions are updating successfully.

Microsoft is under immense pressure to release patches for RedSun and UnDefend. Until they do, vigilance and proactive threat hunting are the only effective countermeasures against these dangerous exploits.

$ vpn --status: UNPROTECTED

Your connection is exposed.

Encrypt your traffic with hide.me VPN — trusted by security professionals.

Get Protected →

sponsored

Share:

// FAQ

What are BlueHammer, RedSun, and UnDefend?

They are codenames for three local privilege escalation (LPE) vulnerabilities in Microsoft Defender. They allow an attacker who has already gained initial access to a system to take full administrative control.

Is my computer at risk?

If you use Microsoft Defender on Windows, you are potentially at risk. One vulnerability (BlueHammer) has been patched. The other two (RedSun, UnDefend) are unpatched as of this report, and systems are vulnerable if an attacker gains initial access through other means.

What is a local privilege escalation (LPE) vulnerability?

An LPE flaw allows a user or program with limited permissions on a computer to gain higher-level permissions, such as those of an administrator or the SYSTEM account, effectively taking full control of the device.

What should I do to protect myself?

Immediately apply all available Windows and Microsoft Defender updates to patch BlueHammer. For the unpatched flaws, focus on detection by monitoring for unusual system behavior, enforce the principle of least privilege, and use a layered security approach.

Has Microsoft released patches for all three vulnerabilities?

No. As of this report, Microsoft has released a patch for BlueHammer (CVE-2026-XXXXX), but RedSun (CVE-2026-YYYYY) and UnDefend (CVE-2026-ZZZZZ) remain unpatched. Microsoft is expected to release updates for these soon.

// SOURCES

// RELATED

NIST scales back vulnerability data enrichment after 263% surge in submissions
vulnerabilities

NIST scales back vulnerability data enrichment after 263% surge in submissions

NIST is limiting detailed analysis in its National Vulnerability Database (NVD) due to a massive increase in submissions, impacting security teams.

2 min readApr 18
London healthcare faces months of disruption after ransomware attack on key supplier
vulnerabilities

London healthcare faces months of disruption after ransomware attack on key supplier

A major ransomware attack on pathology provider Synnovis has caused severe, ongoing disruption to London hospitals, highlighting critical supply chain

6 min readApr 18
Most 'AI SOCs' are just faster triage, and that's not enough
vulnerabilities

Most 'AI SOCs' are just faster triage, and that's not enough

Many AI security tools only speed up alert analysis, failing to reduce analyst workload. Experts argue real gains require AI that automates response a

2 min readApr 17
ZionSiphon malware designed to sabotage water treatment systems
vulnerabilities

ZionSiphon malware designed to sabotage water treatment systems

A new proof-of-concept malware, ZionSiphon, demonstrates how attackers can sabotage water treatment plants by manipulating industrial control systems.

2 min readApr 17