Microsoft Defender Zero-Days: Active Exploitation of RedSun and UnDefend Flaws

In the high-stakes landscape of global cybersecurity, the month of April 2026 has become a watershed moment for endpoint security. While the technical community was still digesting the implications of the “BlueHammer” vulnerability (CVE-2026-33825), a more insidious pair of threats has emerged, leaving security teams in a state of high alert. The Italian National Cybersecurity Agency (CSIRT-ITA), alongside elite research firms like Huntress and Vectra AI, has confirmed the active exploitation of two unpatched Microsoft Defender Zero-Days: codenamed RedSun and UnDefend.

These vulnerabilities are not merely isolated bugs; they represent a fundamental subversion of the trust model upon which modern Windows environments are built. By weaponizing the very engine designed to protect the operating system, threat actors have found a way to achieve full SYSTEM-level dominance and total visibility suppression. As of late April 2026, these flaws remain unpatched, creating a critical window of exposure for organizations worldwide.

The Anatomy of the Threat: Understanding Microsoft Defender Zero-Days

The current crisis is defined by a “triple-threat” architecture originally disclosed by a researcher known as “Chaotic Eclipse” (or Nightmare-Eclipse). This researcher published functional proof-of-concept (PoC) code following a reported dispute with the Microsoft Security Response Center (MSRC). While Microsoft moved swiftly to address the first component, BlueHammer, in its April 14th update, the remaining two exploits—RedSun and UnDefend—have effectively bypassed those initial mitigations.

The danger of these Microsoft Defender Zero-Days lies in their “living-off-the-land” (LotL) nature. They do not require complex kernel-level memory corruption or sophisticated heap sprays. Instead, they abuse legitimate, high-privilege logic within the MsMpEng.exe (Antimalware Service Executable) and the Windows Cloud Files API. This makes detection through traditional signature-based methods nearly impossible, as the malicious activity is performed by a trusted system process.

The Triple-Threat Landscape of April 2026:

• BlueHammer (CVE-2026-33825): A Local Privilege Escalation (LPE) flaw that utilized Volume Shadow Copy (VSS) snapshots and opportunistic locks (oplocks) to extract SAM hashes. This was patched in Antimalware Platform v4.18.26050.3011.
• RedSun: An unpatched LPE vulnerability that exploits the “restore” logic of cloud-tagged files to overwrite protected system binaries.
• UnDefend: An unpatched denial-of-service (DoS) exploit that disrupts the signature update pipeline, rendering Defender’s detection logic static and obsolete over time.

RedSun: The Path to SYSTEM Supremacy

If BlueHammer was a scalpel, RedSun is a sledgehammer. This vulnerability targets the way Microsoft Defender handles files marked with metadata from the Windows Cloud Files API (specifically cldapi.dll). This API is the backbone for services like OneDrive and Dropbox, allowing the OS to manage “placeholder” files that represent content stored in the cloud.

The technical root cause of RedSun is a missing reparse point validation in MpSvc.dll, the core of the Malware Protection Engine. When Defender identifies a malicious file that carries a cloud-sync attribute, it triggers a specialized remediation path. Instead of standard quarantine, the engine attempts to “restore” or “resync” the file to its original detection path. The exploit works through the following sequence:

1. The attacker registers a fake Cloud Files sync root using CfRegisterSyncRoot() and creates a placeholder file via CfCreatePlaceholders().
2. This placeholder is seeded with a known malicious signature, such as the EICAR test string, to guarantee a Defender detection.
3. As Defender’s SYSTEM-level thread initiates the remediation (restore) operation, the attacker uses a batch opportunistic lock (oplock) to pause the process at the precise moment between the file check and the file write (a classic TOCTOU race condition).
4. While the process is paused, the attacker swaps the target directory for a directory junction or mount point pointing to a sensitive system directory, such as C:\Windows\System32.
5. Defender resumes execution and “helpfully” writes the attacker’s malicious binary into the protected path, often overwriting TieringEngineService.exe or similar legitimate services.

Because the write operation is performed by MsMpEng.exe, it bypasses all standard filesystem permissions and Windows Resource Protection (WRP) checks. Once the system service is restarted—or the machine reboots—the attacker’s code executes with full SYSTEM privileges.

UnDefend: Blinding the Watchman

While RedSun provides the “muscle,” UnDefend provides the “stealth.” This exploit targets the vulnerability of Defender’s update mechanism. In a modern environment, an antivirus is only as good as its last signature update. By disrupting the MpSigStub.exe process and the communication channels between the local engine and the Microsoft Protection Center, UnDefend effectively “freezes” the security software in time.

Research indicates that UnDefend can be deployed by a low-privileged user to block incoming definition updates without triggering a “tamper protection” alert. In its -aggressive mode, the exploit can cause the MsMpEng.exe process to enter a deadlocked state, where it continues to report “Healthy” to the Windows Security Center and centralized management consoles (like Microsoft Intune or Defender for Endpoint) while actually performing zero real-time scanning.

This “blinding” technique is particularly lethal when paired with RedSun. Attackers use UnDefend to ensure that their subsequent payloads—which might otherwise be caught by emerging signatures—remain undetected. It creates a “permanent zero-day” environment on the local host, where the security stack is physically present but operationally dead.

The Lethal Synergy: Chaining Microsoft Defender Zero-Days

Threat intelligence from the field, including reports from CSIRT-ITA, shows that attackers are not using these tools in isolation. We are seeing a coordinated attack chain that maximizes both impact and persistence. The most common “Playbook” observed in the wild follows a sophisticated four-stage process:

1. Initial Foothold

Attackers gain access through standard vectors: unpatched SSL VPNs, phishing, or stolen credentials. At this stage, they are a low-privileged “standard user” on a Windows 10 or 11 endpoint.

2. The Privilege Jump (RedSun)

The attacker deploys the RedSun exploit. By tricking Defender into overwriting TieringEngineService.exe, they escalate from a standard user to NT AUTHORITY\SYSTEM. This gives them total control over the local machine, including the ability to dump credentials from the SAM and LSASS memory.

3. Defensive Sabotage (UnDefend)

With SYSTEM access, the attacker runs UnDefend. This ensures that even if Microsoft releases new signatures to detect the specific RedSun exploit or the attacker’s lateral movement tools, the endpoint will never receive them. The “Watchman” is now both blind and deaf.

4. Persistence and Lateral Movement

The attacker uses their elevated privileges to move laterally across the network, targeting Domain Controllers or sensitive data repositories. Because Defender is still reporting a “Green” status to the IT department, the breach remains undetected for weeks or months.

Technical Indicators and Immediate Response Protocols

Since a patch for RedSun and UnDefend is still pending, organizations must pivot to behavioral detection and aggressive monitoring. Security Operations Centers (SOCs) should prioritize the following Indicators of Compromise (IoCs) and behavioral patterns:

• Unauthorized Registry Modifications: Monitor for changes in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates. Any process other than trusted system updates attempting to modify these keys should be flagged.
• File Hash Discrepancies: Baseline the SHA-256 hashes of critical binaries in System32, specifically TieringEngineService.exe and MpSvc.dll. RedSun activity often results in a hash mismatch for these files.
• Volume Shadow Copy Abuse: Alert on any non-backup process calling NtQueryDirectoryObject with targets resembling \Device\HarddiskVolumeShadowCopy*. This is a primary indicator of the VSS-based redirection used in the BlueHammer/RedSun family of exploits.
• Suspicious Commands: Attackers typically follow an escalation with discovery commands. Monitor for whoami /priv, cmdkey /list, and net group "Domain Admins" /domain originating from unexpected or newly elevated processes.
• Sync Root Registration: Monitor for CfRegisterSyncRoot events from processes located in user-writable directories like \Downloads or \Pictures. Legitimate sync roots (OneDrive/Dropbox) are rarely registered from these locations.

Strategic Outlook: The Security Software Paradox

The emergence of these Microsoft Defender Zero-Days highlights a growing paradox in cybersecurity: the tools we use to defend our systems are increasingly being turned into the very doors through which attackers enter. Because security software must operate with the highest possible privileges to be effective, any logic flaw within that software carries a disproportionate amount of risk.

The “Dual-Strike” of RedSun and UnDefend is a reminder that “Defense in Depth” is not a luxury, but a necessity. Relying solely on a single endpoint protection platform (EPP)—even one as integrated as Microsoft Defender—creates a single point of failure. Organizations must complement their EPP with network-level visibility (NDR), identity-centric security (ITDR), and robust, offline logging that attackers cannot easily suppress.

As we await the official remediation from Microsoft, the primary defense against these Microsoft Defender Zero-Days remains vigilance and the assumption of breach. The ability to detect the behavior of an elevated attacker is now more critical than the ability to detect the exploit itself.