Microsoft Defender zero-days exploited after researcher disclosure
▼ Summary
– A researcher published two new proof-of-concept exploits for Microsoft Defender, named “RedSun” for privilege escalation and “UnDefend” to block updates or disable it.
– All three of this researcher’s exploits, including an earlier one called BlueHammer, have been used in real-world attacks by at least one threat actor.
– The BlueHammer vulnerability was fixed by Microsoft in a security update on April 14, after the researcher claimed an initial disclosure attempt went unanswered.
– Security firm Huntress observed the attacker using these exploits after placing files in user folders and running commands to map system privileges and credentials.
– Microsoft may need to issue an emergency patch, as the next scheduled update is weeks away.
A security researcher has disclosed two new proof-of-concept exploits targeting Microsoft Defender, following a similar disclosure earlier this month. These latest techniques, named RedSun and UnDefend, build on a previously revealed privilege escalation flaw and have already been observed in active attacks. This situation highlights the critical risks posed when zero-day vulnerabilities are publicly released before official patches are available, placing organizations in a precarious defensive position.
The researcher, operating under the aliases Chaotic Eclipse and Nightmare Eclipse, first published a PoC for a vulnerability called BlueHammer on April 3. Microsoft addressed that issue, tracked as CVE-2026-33825, in security updates released on April 14. The latest exploits were published to a GitHub repository on April 16. The RedSun exploit is another privilege escalation flaw within the Defender platform, while UnDefend allows a standard user to block Defender signature updates or disable the antivirus software entirely. Vulnerability analyst Will Dormann has confirmed the effectiveness of the RedSun proof-of-concept.
According to cybersecurity firm Huntress, all three exploitation methods have been leveraged by at least one threat actor in real-world incidents. Researchers observed the BlueHammer exploit being blocked by Windows Defender on April 10. Just days later, on April 16, they detected the use of the newly published RedSun and UnDefend PoCs in an attack. In this incident, the attacker placed exploit files within a user’s Pictures and Downloads folders, renaming them to evade detection. Prior to execution, the threat actor ran commands to enumerate user privileges, discover stored credentials, and map the Active Directory structure. Huntress has stated it isolated the affected organization to prevent further post-exploitation activity.
With the next scheduled Patch Tuesday still weeks away, the pressure is now on Microsoft to respond. The company faces a decision on whether to issue an out-of-band emergency patch to mitigate these actively exploited vulnerabilities. The rapid weaponization of these publicly disclosed proofs-of-concept underscores the narrow window defenders have to secure systems once technical details become available.
(Source: Help Net Security)
