Microsoft Defender Zero-Day Vulnerabilities RedSun and UnDefend Exploited

The cybersecurity landscape has been thrust into a state of high alert following the disclosure of two unpatched Microsoft Defender zero-day vulnerabilities, currently being exploited in the wild. Named RedSun and UnDefend, these flaws represent a catastrophic failure in the primary defensive layer for hundreds of millions of Windows users. While Microsoft managed to remediate a third related vulnerability, BlueHammer (CVE-2026-33825), during the April 2026 Patch Tuesday cycle, the remaining duo remains active, providing threat actors with a direct path to total system compromise and the neutralization of endpoint security protocols.

The origin of these exploits traces back to a controversial leak by an anonymous researcher known by the handles “Chaotic Eclipse” and “Nightmare Eclipse.” This individual allegedly released the proof-of-concept (PoC) code in early April 2026 as an act of “protest” against Microsoft’s vulnerability disclosure programs and the perceived “stalling” of patches for critical architectural flaws. Since the leak, telemetry from several leading security firms, including Huntress Labs and Mandiant, has confirmed that multiple advanced persistent threat (APT) groups have integrated these exploits into their playbooks.

The Anatomy of RedSun: Escalating to SYSTEM

The first of the unpatched flaws, RedSun, is a Local Privilege Escalation (LPE) vulnerability of significant severity. It targets a specific logic flaw within the Microsoft Defender Antivirus service (MsMpEng.exe) and its interaction with the Windows Kernel-mode driver. Unlike typical application-level bugs, RedSun resides in the way Defender handles its high-privilege scanning tasks during filesystem I/O operations.

When an attacker gains initial access to a machine—even with the most restricted “Guest” or “Standard User” permissions—they can trigger RedSun by creating a specially crafted sequence of symbolic links and race conditions within the C:\ProgramData\Microsoft\Windows Defender\Scans\History\ directory. Because Microsoft Defender runs with NT AUTHORITY\SYSTEM privileges, the exploit forces the engine to grant the attacker’s process inherited permissions, effectively bypassing the Windows User Account Control (UAC).

Technical analysis indicates that RedSun affects the following operating systems:

• Windows 10 (all supported versions)
• Windows 11 (including the latest 24H2 builds)
• Windows Server 2019 and Windows Server 2022

The danger of this Microsoft Defender zero-day cannot be overstated. In a modern enterprise environment, obtaining SYSTEM privileges is the “holy grail” for an attacker. It allows for the dumping of LSASS memory to harvest credentials, the installation of persistent rootkits, and the complete bypass of local security policies. Because the exploit originates from within a trusted Microsoft process, many traditional Behavioral Analysis (EDR) tools struggle to flag the activity as malicious until the privilege transition has already occurred.

UnDefend: Blindfolding the Watchman

While RedSun focuses on elevation, the second vulnerability, UnDefend, focuses on evasion and neutralization. This exploit targets the Microsoft Defender update mechanism (specifically the MpSigStub.exe process). Security researchers have identified that UnDefend allows a standard user to interfere with the integrity of the Defender signature database during a major update cycle.

Attackers leveraging UnDefend can achieve two primary objectives:

1. Signature Blockage: By injecting a malicious configuration into the registry keys associated with the Windows Update Orchestrator, the attacker can “freeze” Defender’s virus definitions. This prevents the software from receiving new signatures that might detect the attacker’s secondary payloads.
2. Platform Disablement: During a scheduled platform update, UnDefend can be used to induce a “fail-open” state. By corrupting the transient files used during the update installation, the attacker causes the Defender service to crash and fail to restart, effectively leaving the system without any real-time protection.

The UnDefend exploit is particularly insidious because it utilizes the legitimate Windows update infrastructure. For an IT administrator looking at a centralized dashboard, the affected machine might simply appear as “pending update” or “out of sync,” rather than showing an active security breach. This “stealth-by-design” approach provides threat actors with an extended dwell time to move laterally across the network without triggering alarms.

Active Exploitation: Hands-on-Keyboard Activity

Reports from the field indicate that these vulnerabilities are not just theoretical risks. Huntress Labs has documented several “hands-on-keyboard” incidents where threat actors utilized the Microsoft Defender zero-day duo in tandem. The typical attack chain observed in the wild follows a specific, lethal pattern:

Step 1: Initial Access. Attackers are predominantly gaining entry via compromised SSLVPN credentials or unpatched vulnerabilities in edge-facing network appliances. Once inside, they establish a low-privilege foothold.

Step 2: Neutralization. The UnDefend exploit is deployed to ensure that Microsoft Defender does not receive signature updates for the attacker’s specific toolkit. In some cases, the entire anti-malware platform is disabled to clear the path for more aggressive tools.

Step 3: Elevation. The RedSun exploit is executed to transition from a standard user to SYSTEM. This allows the attacker to clear Windows Event Logs, disabling the “bread crumbs” that forensic investigators use to track breaches.

Step 4: Lateral Movement and Exfiltration. With SYSTEM privileges and no active antivirus monitoring, the attackers utilize tools like Cobalt Strike or Silver to move laterally through the internal network, targeting Domain Controllers and sensitive data repositories.

The Patch Tuesday Gap: Why BlueHammer Wasn’t Enough

The cybersecurity community has expressed frustration that the April 2026 Patch Tuesday update only addressed BlueHammer (CVE-2026-33825). BlueHammer was a Remote Code Execution (RCE) vulnerability that allowed attackers to trigger a memory corruption error via a malformed network packet processed by Defender’s “Network Inspection System” (NIS).

While the fix for BlueHammer was vital, the failure to address RedSun and UnDefend has left a massive hole in the Windows ecosystem. Industry insiders suggest that the remaining two bugs are “architectural” in nature, meaning they involve deep-seated logic in how Windows manages service permissions and update integrity. Patching these may require more than a simple code update; it may require a fundamental shift in how the Microsoft Defender service interacts with the Windows Kernel.

In the absence of an official patch, Microsoft has released several “Workaround Recommendations,” though these are often difficult for large enterprises to implement at scale. These include:

• Implementing Strict Windows Defender Application Control (WDAC) policies to prevent the execution of unknown binaries.
• Restricting access to the C:\ProgramData\Microsoft\Windows Defender\ directory using advanced NTFS permissions (though this may interfere with legitimate updates).
• Utilizing Endpoint Detection and Response (EDR) solutions from third-party vendors that do not rely on the Windows Defender engine for their telemetry.

Strategic Implications for Enterprise Security

The exploitation of this Microsoft Defender zero-day highlights a growing trend in the threat landscape: the targeting of security software itself. When the “lock” on the door is the very thing being used to let the intruder in, the traditional defense-in-depth model is compromised. This event serves as a stark reminder that no single security product should be a single point of failure.

For organizations relying solely on Microsoft Defender, the current situation necessitates a move toward Zero Trust Architecture. This includes:

• Micro-segmentation: Limiting the ability of a compromised host to communicate with other parts of the network, regardless of the user’s privilege level.
• Identity-Centric Security: Moving beyond simple passwords to hardware-backed multi-factor authentication (MFA) to prevent the initial credential theft that often precedes these exploits.
• Continuous Monitoring: Shifting focus from “prevention” to “detection and response.” Even if Defender is disabled via UnDefend, network-level anomalies and unusual lateral movement should be detectable via Network Detection and Response (NDR) tools.

Conclusion: The Path Forward

As of April 18, 2026, the Microsoft Defender zero-day vulnerabilities RedSun and UnDefend remain a clear and present danger to global digital infrastructure. The “Chaotic Eclipse” leak has democratized high-level exploits that were previously the sole domain of nation-state actors, putting them in the hands of ransomware affiliates and cyber-criminals.

Microsoft is expected to release an “out-of-band” patch or a comprehensive fix in the May 2026 update cycle. Until then, security teams must operate under the assumption that their primary endpoint defense may be compromised. Vigilance, proactive hunting for SYSTEM-level anomalies, and the hardening of SSLVPN gateways are the only viable defenses against this current wave of exploitation. The “Ninja Editor” team will continue to monitor the situation and provide technical updates as the Microsoft response evolves.