Executive Summary
In April 2026, two critical zero-day vulnerabilities—RedSun and UnDefend—were discovered in Microsoft Defender, the default endpoint protection suite for Windows 10, Windows 11, and Windows Server platforms. These vulnerabilities are being actively exploited in the wild, enabling attackers to escalate privileges to SYSTEM and to degrade or disable Defender’s protection mechanisms. While Microsoft has released a patch for the related BlueHammer (CVE-2026-33825) vulnerability, both RedSun and UnDefend remain unpatched as of this report. The exploitation of these flaws allows adversaries to bypass core endpoint defenses, establish persistent access, and facilitate lateral movement or ransomware deployment. This advisory provides a technical breakdown of the vulnerabilities, observed attacker tactics, detection guidance, and actionable mitigation strategies.
Threat Actor Profile
The exploitation of RedSun and UnDefend has been observed in attacks attributed to advanced threat actors and ransomware operators. While no specific Advanced Persistent Threat (APT) group has been publicly linked to these campaigns, the sophistication of the exploitation chains, the use of manual post-exploitation techniques, and the rapid weaponization of public proof-of-concept (PoC) code suggest involvement by actors with significant technical capability and operational maturity. The threat landscape includes financially motivated ransomware groups, initial access brokers, and potentially state-sponsored entities seeking to establish stealthy persistence on high-value targets. The observed Tactics, Techniques, and Procedures (TTPs) align with those used by groups specializing in privilege escalation, defense evasion, and endpoint security bypass.
Technical Analysis of Malware/TTPs
RedSun is a local privilege escalation vulnerability that abuses a logic flaw in Microsoft Defender’s remediation process for files tagged as cloud files (leveraging the Windows Cloud Files API). When Defender detects a malicious file in a user-writable directory (such as Downloads or Pictures), it attempts to remediate by rewriting the file. Attackers exploit this by creating NTFS directory junctions (reparse points) and opportunistic locks (oplocks) to redirect Defender’s privileged write operation to protected system locations, such as C:\Windows\System32\TieringEngineService.exe. This enables a low-privileged user to overwrite critical system binaries with attacker-controlled payloads, achieving SYSTEM-level code execution without requiring kernel exploits or administrative rights.
UnDefend is a Defender degradation vulnerability that allows a local attacker to block or disrupt Defender’s signature and engine updates. By manipulating update mechanisms or leveraging file system tricks, an attacker can cause Defender to appear operational while it is, in fact, outdated and ineffective. This enables adversaries to maintain stealthy persistence post-compromise, as Defender will not detect or remediate subsequent malicious activity.
Attackers typically drop exploit binaries with innocuous names (such as RedSun.exe or FunnyApp.exe) into user-writable directories. The exploitation chain often begins with initial access via phishing, credential theft, or exploitation of remote access solutions, followed by local execution of the exploit to escalate privileges and disable or degrade Defender. Manual post-exploitation actions include credential dumping, lateral movement, and deployment of ransomware or other payloads.
Exploitation in the Wild
Active exploitation of RedSun and UnDefend was first confirmed in mid-April 2026, shortly after public PoC code was released on GitHub. Managed Detection and Response (MDR) providers, including Huntress Labs, have observed real-world intrusions where attackers leveraged these vulnerabilities to gain SYSTEM privileges and disable endpoint protection. Attackers commonly stage exploit binaries in user-writable folders, execute them to gain elevated access, and then use UnDefend techniques to prevent Defender from receiving updates, ensuring continued evasion of detection.
Reports indicate that attackers are chaining these vulnerabilities: first exploiting RedSun to achieve SYSTEM access, then deploying UnDefend to degrade Defender’s effectiveness. This chaining enables persistent, stealthy control over compromised endpoints. The exploitation has been observed in enterprise environments, with attackers targeting both workstations and servers.
Victimology and Targeting
The primary targets of these attacks are organizations running Windows 10, Windows 11, or Windows Server 2019/2022 with Microsoft Defender Antivirus real-time protection enabled. Sectors observed to be at risk include finance, healthcare, government, education, and critical infrastructure, as well as managed service providers (MSPs) and their downstream clients. The vulnerabilities are exploitable on any supported Windows system with Defender enabled and the standard cldapi.dll present. Attackers are opportunistically targeting organizations with exposed endpoints, weak credential hygiene, or insufficient monitoring of endpoint security events.
Mitigation and Countermeasures
Organizations should immediately apply the latest Microsoft Defender updates to address the patched BlueHammer (CVE-2026-33825) vulnerability. However, as RedSun and UnDefend remain unpatched, additional mitigations are required. Security teams should monitor for Defender-initiated SYSTEM-level process execution, Defender update failures, and execution of binaries from user-writable directories. Restricting execution from directories such as Downloads, Pictures, and Temp can reduce the attack surface. Enforcing Attack Surface Reduction (ASR) rules and increasing alerting for Defender tampering or abnormal remediation activity are recommended. Supplementing Defender with a secondary Endpoint Detection and Response (EDR) solution capable of detecting Defender bypasses can provide additional protection. Running Defender in passive mode, with an alternative real-time protection solution, may be advisable in high-risk environments. Enabling Defender tamper protection and auditing event logs for privileged service executions from user-writable paths can help detect exploitation attempts. Organizations should prepare for out-of-band patches from Microsoft and maintain heightened vigilance for related threat activity.
References
- BlackSwan Cybersecurity Threat Advisory
- GitHub PoC Repository
- Huntress Labs: Nightmare-Eclipse Intrusion
- BleepingComputer: Zero-Days Exploited
- Picus Security: BlueHammer & RedSun
- Qualys: Mitigate RedSun
- SOCRadar: Defender 0days
- ProArch Security Advisory
About Rescana
Rescana is a leader in Third-Party Risk Management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your organization’s cyber resilience, please contact us at ops@rescana.com.
