Microsoft Defender Zero-Days: RedSun and UnDefend Exploited

The cybersecurity landscape has been rocked this week by the emergence of two potent, unpatched Microsoft Defender zero-days that threaten to undermine the primary security layer for millions of Windows endpoints. On April 17, 2026, researchers at Huntress Labs and BleepingComputer confirmed that the exploits, dubbed RedSun and UnDefend, are currently being leveraged in the wild by sophisticated, “hands-on-keyboard” threat actors. These vulnerabilities, which target the core logic of the Microsoft Malware Protection Engine, were leaked by a security researcher operating under the handle “Chaotic Eclipse” (also known as Nightmare-Eclipse) in a dramatic protest against the Microsoft Security Response Center (MSRC).

While Microsoft’s April 14, 2026, Patch Tuesday successfully addressed an earlier related flaw—tracked as CVE-2026-33825 (BlueHammer)—the subsequent release of RedSun and UnDefend has left organizations exposed. These Microsoft Defender zero-days provide a lethal combination: one allows for near-guaranteed local privilege escalation (LPE) to SYSTEM, while the other effectively “blinds” the antivirus suite by preventing it from receiving critical definition updates. For security teams, this represents a worst-case scenario where the native defense mechanism not only fails to stop an attacker but can be co-opted as a tool for system takeover.

The Anatomy of RedSun: Turning Defender Against the System

The RedSun exploit is perhaps the most technically audacious of the recent leaks. Unlike traditional buffer overflows or memory corruption bugs, RedSun exploits a fundamental logic flaw in how Microsoft Defender handles “cloud-tagged” malicious files. When Defender identifies a file as malicious via its cloud-based protection, it triggers a remediation sequence. In an ironic twist, the research reveals that for certain cloud-tagged files, Defender’s engine (specifically within MpSvc.dll) attempts to rewrite or restore the file to its original location to ensure consistency before a final quarantine action.

The attack chain for RedSun leverages the Windows Cloud Files API (cldapi.dll) and a sophisticated exploitation of NTFS filesystem features. The process typically follows these steps:

• Initial Placement: The attacker writes a specially crafted “trigger” file—often an EICAR test string or a known malicious signature—to a user-controlled directory.
• Oplock Interruption: Using an opportunistic lock (oplock), the attacker pauses the system’s access to the file. When Microsoft Defender’s MsMpEng.exe attempts to scan and remediate the file, the oplock allows the attacker to suspend Defender’s operation mid-flight.
• Path Redirection: While the operation is paused, the attacker replaces the original directory with an NTFS junction point (a mount point reparse). This redirects any subsequent write operations to a protected system directory, such as C:\Windows\System32.
• SYSTEM-Level Overwrite: When the attacker releases the oplock, Defender resumes its “restoration” write. Because MsMpEng.exe runs with NT AUTHORITY\SYSTEM privileges, it bypasses standard access control lists (ACLs) and overwrites a legitimate system binary—frequently TieringEngineService.exe or DisplaySwitch.exe—with the attacker’s payload.

Security analyst Will Dormann has verified that RedSun remains 100% reliable on fully patched Windows 11 and Windows Server 2022 systems. The lack of reparse point validation during the restoration phase means that as long as Defender is active, the system remains vulnerable to this escalation path.

UnDefend: Blinding the Sentinel

While RedSun provides the “keys to the kingdom,” UnDefend ensures that the attacker can operate without the threat of discovery. This second zero-day targets the update and synchronization mechanism of the Microsoft Defender suite. Researchers have characterized UnDefend as a denial-of-service (DoS) attack against the security suite’s intelligence feed.

By exploiting a weakness in how Defender validates its update sub-processes, a standard user can trigger a condition that permanently stalls the MpSigStub.exe (the Microsoft Malware Protection Signature Update Stub). This prevents the system from pulling new definitions from Microsoft’s cloud. In a “hands-on-keyboard” environment, this allows threat actors to deploy newer, custom-packed malware that would otherwise be caught by the latest cloud-delivered signatures. Furthermore, UnDefend can be used to trigger a “blinding” effect where the Defender UI reports a “Healthy” status even though the underlying real-time protection engine has been effectively neutered.

Technical Impact of the “Defender Blinding” Strategy

1. Update Suppression: Blockage of all KB-based and cloud-based signature updates.
2. Telemetry Interruption: Prevention of behavioral signals being sent to Microsoft Defender for Endpoint (MDE) consoles.
3. Persistence: Because the system believes it is up to date, no automated remediation alerts are triggered for the lack of recent scans.

The Human Element: Chaotic Eclipse and the MSRC Conflict

The release of these Microsoft Defender zero-days is not merely a technical failure but a symptom of a growing rift between the independent research community and major software vendors. The researcher known as “Chaotic Eclipse” claimed that these exploits were dropped as “full disclosure” because Microsoft’s Security Response Center allegedly mishandled previous reports. According to posts on GitHub and X, the researcher felt “dismissed and mistreated” by the MSRC, leading to the decision to leak the Proof-of-Concept (PoC) code publicly.

This incident highlights a dangerous trend in 2026: “Vengeance Leaking.” When researchers feel that the bug bounty process or the communication channels with vendors have broken down, they may bypass coordinated disclosure entirely. In this case, the result was the immediate weaponization of RedSun and UnDefend by threat actors within hours of the PoC appearing on GitHub. Huntress Labs reported that initial access in several observed breaches was gained via compromised SSLVPN credentials, after which the actors immediately deployed RedSun to jump from a standard user to SYSTEM privileges.

Detection and Mitigation: Looking Beyond Native Defenses

With no official patch currently available for RedSun or UnDefend as of April 17, 2026, organizations must pivot their defensive strategies. Relying solely on the native Defender engine is currently insufficient, as the engine itself is the vector for exploitation. Professional security teams are advised to implement the following high-fidelity detection and mitigation strategies:

1. Monitor for Oplock and Junction Abuse

The hallmark of the RedSun exploit is the rapid creation and deletion of NTFS junctions in conjunction with cldapi.dll activity. SOC teams should look for Event ID 4663 (An attempt was made to access an object) where the process is MsMpEng.exe but the target is a directory junction leading to System32. Specialized EDR rules should flag any process that creates an opportunistic lock on a file immediately before that file is modified by a SYSTEM-level service.

2. Audit cldapi.dll Activity

Since the RedSun attack utilizes the Windows Cloud Files API to tag malicious files, monitoring for unusual usage of cldapi.dll by unprivileged processes is critical. Standard users should rarely be interacting with this API in a way that triggers Defender’s cloud-remediation logic on system-critical paths.

3. Implement Third-Party EDR/XDR

The UnDefend exploit specifically “blinds” Defender. To counter this, organizations should deploy a secondary, non-Microsoft-based Endpoint Detection and Response (EDR) solution. Tools that use their own proprietary kernel drivers and do not rely on the Windows Anti-Malware Scan Interface (AMSI) or Defender’s telemetry will remain functional even if the native suite is compromised.

4. Harden Remote Access Points

Because the observed threat actors are using these Microsoft Defender zero-days as a post-exploitation step, preventing the “foothold” is paramount. This includes:

• Enforcing strictly phishing-resistant MFA (FIDO2) for all SSLVPN and RDP access.
• Implementing aggressive session timeouts and IP-based geofencing.
• Restricting the ability of standard users to run common “discovery” tools like whoami, net.exe, and systeminfo.

The Road Ahead for Microsoft

The situation remains fluid. While Microsoft has acknowledged the reports and is reportedly working on an “out-of-band” (OOB) security update, the reliability and simplicity of the RedSun exploit make it an attractive tool for ransomware affiliates and state-sponsored actors alike. The Microsoft Defender zero-days have once again raised questions about the security of the “all-in-one” platform approach. When the security software is integrated so deeply into the operating system, its vulnerabilities become the operating system’s vulnerabilities.

For now, the “Ninja Editor” recommendation is clear: Assume compromise if Defender is your only line of defense. Monitor your logs for anomalous file-write activity in C:\Windows\System32 by the Defender service itself, and stay tuned for an emergency patch from Redmond. The battle for the Windows kernel has just become significantly more complicated.