← CIO Briefings · Critical Impact ACTION REQUIRED

Two Unpatched Windows Defender Zero-Days Actively Exploited — No Microsoft Fix Available

RedSun and UnDefend are two unpatched zero-day vulnerabilities in Windows Defender that are actively exploited in real attacks. RedSun escalates any local user to SYSTEM; UnDefend silently prevents Defender from receiving threat intelligence updates. Both affect all supported Windows versions and remain fully exploitable after April Patch Tuesday.

4 min read
#NIS2#DORA

Situation

A security researcher has publicly released two additional Windows Defender zero-day exploits — RedSun and UnDefend — after Microsoft declined to patch them. Both are now confirmed exploited in real attacks against organisations. Microsoft has no patch or advisory for either vulnerability as of 20 April 2026. Both remain fully exploitable on Windows systems that have applied the April 2026 Patch Tuesday updates.

RedSun exploits a flaw in Defender’s cloud file remediation mechanism to redirect a SYSTEM-context file write to a system binary of the attacker’s choosing, achieving SYSTEM-level code execution. An attacker with any local user account can use RedSun to become the most privileged account on the machine.

UnDefend exploits a separate flaw to freeze Defender’s threat intelligence definitions as a standard user, preventing the endpoint from detecting malware threats added to Defender’s knowledge base after the last successful update.

When used together: the attacker deploys UnDefend first to degrade detection, then uses RedSun to escalate to SYSTEM, then operates on the machine with complete control and a blinded security agent.

Huntress Labs confirmed both exploits in an incident involving initial access via a hijacked VPN account, followed by immediate deployment of the Defender exploit chain.

Business Impact

These vulnerabilities affect every Windows workstation and server with Defender enabled — which is the default configuration for virtually all Windows installations. Microsoft Defender is the baseline endpoint security layer across most enterprise environments, either as a standalone product or as a component beneath third-party EDR solutions.

An attacker who gains initial local access through any vector — phishing, credential theft, vulnerable internet-facing application — can use this exploit chain to immediately escalate to full SYSTEM control. From SYSTEM, the attacker can:

  • Dump all credentials from LSASS memory (domain account hashes, cached credentials)
  • Disable or tamper with endpoint security tooling beyond Defender
  • Install persistent backdoors
  • Pivot laterally across the domain using harvested credentials

The absence of a patch creates a period of unavoidable exposure. No Windows cumulative update released to date addresses RedSun or UnDefend. The April Patch Tuesday patched only BlueHammer (CVE-2026-33825), the first of the three Defender zero-days.

Immediate Actions Required

  1. Enable Windows Defender Tamper Protection on all endpoints via Group Policy or Microsoft Intune — this constrains UnDefend’s ability to suppress definition updates and adds a layer of resistance to Defender manipulation.
  2. Validate Defender definition currency across the estate: Run a fleet-wide query (via Intune compliance reporting or equivalent MDM) confirming that Defender definitions are updating successfully. Endpoints with stale definitions (no update within the expected interval) may already have UnDefend active.
  3. Alert on SYSTEM privilege escalation anomalies: Configure EDR rules or SIEM correlation for unexpected privilege escalation from standard user to SYSTEM, particularly involving processes calling the Windows Cloud Files API or creating NTFS junction points.
  4. Enforce MFA on all VPN and remote access: The confirmed initial access vector in the Huntress incident was a hijacked SSLVPN account. MFA on remote access prevents credential theft from translating directly into network access.
  5. Monitor MSRC for an emergency out-of-band patch: Given active exploitation, Microsoft is expected to release an emergency patch. Subscribe to MSRC notifications and deploy the fix immediately when released — do not wait for the next Patch Tuesday cycle.
  6. Review BlueHammer (CVE-2026-33825) patch application: Confirm the April cumulative update applied correctly on all systems; if KB5082063 failed to install on domain controllers (the known LSASS reboot loop issue), those systems also lack the BlueHammer patch.

For Board or Executive Briefing

Three vulnerabilities in Windows Defender — the built-in security tool on essentially all our Windows computers and servers — have been publicly released and are being actively used by attackers. Microsoft patched one of the three in last week’s update; the other two remain unpatched. The exploits allow an attacker who reaches any user account on a Windows system to immediately take complete control of that machine. We have deployed compensating controls and are monitoring for the attack pattern while awaiting Microsoft’s emergency patch.