Two Unpatched Windows Defender Zero-Days (RedSun + UnDefend) Actively Exploited — No Fix Available

A researcher operating under the handle Chaotic Eclipse (also Nightmare Eclipse) has released two additional Windows Defender zero-days in a deliberate protest disclosure after Microsoft declined to patch them within the researcher’s expected timeline. The two vulnerabilities — codenamed RedSun and UnDefend — have been confirmed exploited in real attacks by Huntress Labs, making this the second week running that Microsoft is contending with active exploitation of unpatched Windows security flaws. No CVE identifiers have been assigned to either vulnerability. No patch is available.

The first vulnerability from this researcher, BlueHammer, was patched in the April Patch Tuesday batch as CVE-2026-33825. The two remaining flaws are both more immediately dangerous: RedSun grants SYSTEM-level privileges, and UnDefend silently cripples the endpoint’s primary defence mechanism.

RedSun: Abusing Defender’s Cloud File Rollback

RedSun is a local privilege escalation technique that turns Windows Defender’s own cloud-remediation behaviour into an arbitrary SYSTEM-context file write. When Defender identifies a file tagged for cloud restoration, it attempts to write the original file back to its source path — but without first validating whether that path has been redirected. The exploit constructs the following chain:

1. A crafted file triggers Defender’s cloud restoration logic
2. The attacker replaces the file with a cloud placeholder using the Windows Cloud Files API
3. Oplock and NTFS directory junction manipulation redirects Defender’s privileged write to C:\Windows\System32\TieringEngineService.exe
4. Defender overwrites the system binary with an attacker-controlled payload
5. Windows executes the replacement binary under the SYSTEM account

The result is arbitrary code execution with SYSTEM privileges — the highest privilege level on a local machine. The attack requires no interaction from another user and no special network access; any process running as a standard user can initiate it. RedSun is effective on Windows 10 (all supported versions), Windows 11 (all supported versions), and Windows Server 2016 through 2025 — provided Windows Defender is enabled, which is the default state on virtually all Windows installations.

Critically, RedSun remains exploitable after applying the April 2026 Patch Tuesday updates. The April patches addressed BlueHammer (CVE-2026-33825) but do not touch the cloud file rollback code path used by RedSun.

UnDefend: Silently Degrading Defender

UnDefend is a complementary attack that can be executed from a standard user account without elevation. It exploits a flaw in the mechanism Defender uses to update its threat intelligence signatures, allowing any user to prevent Defender from applying new definition updates. Because Defender’s detection capability is signature-dependent for a significant portion of its protection surface, disabling updates leaves the endpoint unable to detect threats that were added to Defender’s knowledge base after the last successful update.

When chained with RedSun, the attack sequence becomes:

1. UnDefend — degrade Defender’s detection capability by freezing definitions
2. RedSun — escalate to SYSTEM while Defender is unable to detect newly introduced payloads
3. Operate on the machine with unrestricted privileges and a blinded security agent

Huntress confirmed this combined use pattern in a real incident: UnDefend and RedSun were both observed deployed on a Windows endpoint that was initially compromised via a hijacked SSLVPN user account.

Current Status and Microsoft’s Response

Microsoft has not released patches for RedSun or UnDefend as of 20 April 2026. Microsoft has not publicly acknowledged either vulnerability. The researcher’s disclosure was explicitly framed as a coordinated vulnerability protest — three bugs disclosed publicly after Microsoft’s handling of the initial BlueHammer report was judged by the researcher as inadequate.

CISA has not yet added RedSun or UnDefend to the Known Exploited Vulnerabilities catalogue, though the confirmation of in-the-wild exploitation satisfies the catalogue’s inclusion criteria.

Recommended Actions

With no patches available, defensive options focus on detection, compensating controls, and monitoring:

• Monitor for unusual Defender service activity: Look for Windows Cloud Files API usage (CldApi.dll, StorageSync.sys) in contexts unrelated to legitimate cloud storage synchronisation. Flag unexpected use of oplocks alongside junction point manipulation — these combinations are rare in legitimate workflows.
• Audit recent SYSTEM-context file writes to System32: Any write to TieringEngineService.exe or adjacent system binaries by processes other than trusted update mechanisms should trigger immediate investigation.
• Enable Windows Defender tamper protection: Tamper Protection prevents unauthorised changes to Defender settings and may constrain UnDefend’s ability to block definition updates — enable it via Group Policy or Intune across all managed endpoints.
• Validate Defender definition update frequency: Run Get-MpComputerStatus (PowerShell) or equivalent MDM query to confirm that Defender definitions are updating successfully on schedule. Stale definitions on an endpoint may indicate UnDefend activity.
• Prioritise VPN/SSLVPN credential hygiene: The confirmed initial access vector for the in-the-wild incident was a hijacked SSLVPN account. Enforce MFA on all remote access solutions and review current VPN session logs for anomalous behaviour.
• Monitor for MSRC advisory and emergency patch: Subscribe to Microsoft Security Response Center notifications. Given active exploitation, an out-of-band patch for RedSun and UnDefend is likely — apply it immediately when released.