Actively Exploited Microsoft Defender Zero-Days 'RedSun' and 'UnDefend' Remain Unpatched

Executive Summary

Security researchers have confirmed active, in-the-wild exploitation of three zero-day vulnerabilities affecting Microsoft Defender on modern Windows systems. The vulnerabilities, codenamed BlueHammer, RedSun, and UnDefend, were publicly disclosed by a researcher known as "Chaotic Eclipse" before official patches were available for all flaws. BlueHammer (CVE-2026-33825), a local privilege escalation (LPE) flaw, was patched in the April 2026 Patch Tuesday. However, RedSun, another critical LPE vulnerability that grants SYSTEM privileges, and UnDefend, a denial-of-service (DoS) bug, remain unpatched. Huntress Labs reports observing targeted attacks where threat actors are manually deploying these exploits to elevate privileges on compromised systems, indicating a significant and immediate threat to Windows environments.

Threat Overview

The incident highlights the dangerous intersection of vulnerability research, contentious disclosure practices, and rapid weaponization by threat actors. A researcher, frustrated with the Microsoft Security Response Center (MSRC), publicly released proof-of-concept (PoC) exploits for three distinct vulnerabilities in Microsoft Defender. This action provided threat actors with the tools to immediately target vulnerable systems.

• BlueHammer (CVE-2026-33825): A Local Privilege Escalation (LPE) vulnerability. An attacker with low-level access can exploit this to gain SYSTEM privileges. This flaw has been patched.
• RedSun: A second, more severe LPE vulnerability that also allows an attacker to gain SYSTEM privileges on fully patched Windows 10, Windows 11, and Windows Server 2019+ systems. This flaw remains unpatched.
• UnDefend: A Denial-of-Service (DoS) vulnerability that allows a standard user to prevent Microsoft Defender from receiving new security intelligence updates, effectively blinding the antivirus solution. This flaw also remains unpatched.

Researchers at Huntress Labs have observed these exploits being used in targeted attacks, not widespread automated campaigns. The attackers exhibit "hands-on-keyboard" activity, running reconnaissance commands like whoami /priv and cmdkey /list after gaining initial access, before deploying the LPE exploits to escalate their privileges. This behavior is typical of sophisticated adversaries conducting targeted intrusions.

Technical Analysis

The exploits abuse core functionalities of Microsoft Defender and its interaction with the operating system.

• Privilege Escalation (T1068): Both BlueHammer and RedSun are classic examples of this technique. They exploit flaws in a highly privileged process (Microsoft Defender's MsMpEng.exe service, which runs as NT AUTHORITY\SYSTEM) to execute arbitrary code with elevated permissions. The RedSun exploit reportedly abuses how Defender handles file system operations during remediation.
• Impair Defenses (T1562): The UnDefend vulnerability is a direct implementation of this tactic. By preventing Defender from updating, attackers can ensure that their subsequent malware payloads will not be detected by the latest signatures, significantly increasing their chances of success.
• Exploitation for Privilege Escalation (T1068): The core of the BlueHammer and RedSun attacks. Attackers with initial low-privilege access (e.g., from a phishing email) can run the exploit to become SYSTEM, gaining full control of the host.
• System Services (T1569.002): The exploits target a legitimate and critical Windows service (Microsoft Defender) to carry out their malicious actions.

The active exploitation of unpatched LPEs in a default security product is a worst-case scenario. It effectively nullifies the 'defense-in-depth' principle, as the defender itself becomes the attack vector.

Impact Assessment

The impact is critical for organizations running Windows environments. An attacker who gains any level of initial access—through phishing, a separate vulnerability, or other means—can now reliably escalate to SYSTEM-level privileges on fully patched machines using the RedSun exploit. This level of access allows them to disable other security controls, deploy ransomware, steal sensitive data, and persist within the network. The UnDefend vulnerability further compounds the risk by ensuring that the primary endpoint protection is outdated and ineffective against new threats. This forces organizations into a difficult position of needing to apply emergency workarounds or accept a high level of risk until Microsoft releases a patch.

IOCs

No specific file hashes or IP addresses were provided in the source articles.

Cyber Observables for Detection

Security teams should hunt for post-exploitation activity associated with these LPEs.

Detection & Response

Detection Strategies:

• Behavioral Analytics: Since the exploits target a trusted process, signature-based detection is ineffective. Focus on behavioral detection. An EDR solution should be configured to alert on MsMpEng.exe spawning unusual child processes (like cmd.exe or powershell.exe) or performing unexpected file/registry modifications.
• D3FEND: Process Analysis (D3-PA): Specifically, monitor for process lineage anomalies. A command shell (cmd.exe) being spawned as a child of MsMpEng.exe is highly suspicious and should be a high-priority alert. This is a key indicator of post-exploitation activity following a successful LPE.
• Log Aggregation: Aggregate and correlate logs from multiple sources. A low-privilege user login followed by a series of reconnaissance commands (whoami, net user, etc.) and then a spike in MsMpEng.exe activity could indicate an attack in progress.

Response Actions:

1. If active exploitation is suspected, immediately isolate the affected host from the network to prevent lateral movement.
2. Preserve the system for forensic analysis to understand the initial access vector and subsequent actions.
3. For RedSun and UnDefend, monitor Microsoft's security advisories closely and be prepared to deploy the patch on an emergency basis as soon as it is released.

Mitigation

Immediate Actions (Workarounds):

• Attack Surface Reduction (ASR): For the unpatched vulnerabilities, organizations must rely on compensating controls. Ensure that standard users do not have administrative rights. Implement strict application control (like AppLocker or WDAC) to prevent the execution of unauthorized executables, including the exploit PoCs.
• Enhanced Monitoring: Increase monitoring on endpoints, focusing on the behavioral indicators listed above. Lower the threshold for alerts related to MsMpEng.exe and post-exploitation commands.

Strategic Controls:

• D3FEND: Software Update (D3-SU): The most critical mitigation is to patch. Ensure CVE-2026-33825 is patched via the April 2026 update. Maintain a robust and rapid patch management process to deploy the forthcoming fixes for RedSun and UnDefend as soon as they are available.
• D3FEND: Execution Prevention (M1038): A well-configured application control policy that only allows known, trusted executables to run can prevent the initial execution of the exploit code, even if it's dropped on the system.