In April 2026, the cybersecurity landscape faced a significant challenge with the emergence of two critical zero-day vulnerabilities—RedSun and UnDefend—within Microsoft Defender, the default endpoint protection suite for Windows 10, Windows 11, and Windows Server platforms. These vulnerabilities are currently being exploited in the wild, allowing attackers to escalate privileges to SYSTEM and undermine Defender’s protective mechanisms. While Microsoft has addressed a related vulnerability, BlueHammer (CVE-2026-33825), both RedSun and UnDefend remain unpatched at this time. The exploitation of these flaws enables adversaries to bypass essential endpoint defenses, establish persistent access, and facilitate lateral movement or ransomware deployment. This advisory offers a technical breakdown of the vulnerabilities, observed attacker tactics, detection guidance, and actionable mitigation strategies.
Threat Actor Profile
The exploitation of RedSun and UnDefend has been linked to advanced threat actors and ransomware operators. While no specific Advanced Persistent Threat (APT) group has been publicly associated with these campaigns, the sophistication of the exploitation chains, the use of manual post-exploitation techniques, and the rapid weaponization of public proof-of-concept (PoC) code indicate involvement by actors with considerable technical prowess and operational maturity. The threat landscape encompasses financially motivated ransomware groups, initial access brokers, and potentially state-sponsored entities aiming to establish stealthy persistence on high-value targets. The observed Tactics, Techniques, and Procedures (TTPs) align with those employed by groups specializing in privilege escalation, defense evasion, and endpoint security circumvention.
Technical Analysis of Malware/TTPs
RedSun is characterized as a local privilege escalation vulnerability that exploits a logic flaw in Microsoft Defender’s remediation process for files identified as cloud files, utilizing the Windows Cloud Files API. When Defender detects a malicious file in a user-writable directory (such as Downloads or Pictures), it attempts to remediate by rewriting the file. Attackers take advantage of this by creating NTFS directory junctions (reparse points) and opportunistic locks (oplocks) to redirect Defender’s privileged write operation to protected system locations, such as C:WindowsSystem32TieringEngineService.exe. This maneuver allows a low-privileged user to overwrite critical system binaries with attacker-controlled payloads, achieving SYSTEM-level code execution without the need for kernel exploits or administrative rights.
UnDefend, on the other hand, is a vulnerability that enables a local attacker to obstruct or disrupt Defender’s signature and engine updates. By manipulating update mechanisms or employing file system tricks, an attacker can render Defender operational on the surface while it remains outdated and ineffective. This tactic allows adversaries to maintain stealthy persistence post-compromise, as Defender will fail to detect or remediate subsequent malicious activities. Attackers typically deploy exploit binaries with innocuous names (such as RedSun.exe or FunnyApp.exe) into user-writable directories, initiating the exploitation chain through phishing, credential theft, or the exploitation of remote access solutions, followed by local execution of the exploit to escalate privileges and disable or degrade Defender. Subsequent manual post-exploitation actions may include credential dumping, lateral movement, and the deployment of ransomware or other payloads.
Exploitation in the Wild
The active exploitation of RedSun and UnDefend was first confirmed in mid-April 2026, shortly after public PoC code was made available on GitHub. Managed Detection and Response (MDR) providers, including Huntress Labs, have reported real-world intrusions where attackers leveraged these vulnerabilities to gain SYSTEM privileges and disable endpoint protection. Attackers commonly stage exploit binaries in user-writable folders, execute them to gain elevated access, and then employ UnDefend techniques to prevent Defender from receiving updates, ensuring continued evasion of detection. Reports indicate that attackers are chaining these vulnerabilities: first exploiting RedSun to achieve SYSTEM access, followed by deploying UnDefend to degrade Defender’s effectiveness. This chaining facilitates persistent, stealthy control over compromised endpoints, with exploitation observed in enterprise environments targeting both workstations and servers.
Victimology and Targeting
The primary targets of these attacks are organizations operating Windows 10, Windows 11, or Windows Server 2019/2022 with Microsoft Defender Antivirus real-time protection enabled. Sectors identified as at risk include finance, healthcare, government, education, and critical infrastructure, along with managed service providers (MSPs) and their downstream clients. The vulnerabilities can be exploited on any supported Windows system with Defender enabled and the standard cldapi.dll present. Attackers are opportunistically targeting organizations with exposed endpoints, weak credential hygiene, or insufficient monitoring of endpoint security events.
Mitigation and Countermeasures
Organizations are urged to promptly apply the latest Microsoft Defender updates to address the patched BlueHammer (CVE-2026-33825) vulnerability. However, given that RedSun and UnDefend remain unpatched, additional mitigations are essential. Security teams should monitor for Defender-initiated SYSTEM-level process execution, Defender update failures, and the execution of binaries from user-writable directories. Restricting execution from directories such as Downloads, Pictures, and Temp can significantly reduce the attack surface. Enforcing Attack Surface Reduction (ASR) rules and increasing alerting for Defender tampering or abnormal remediation activity are highly recommended. Supplementing Defender with a secondary Endpoint Detection and Response (EDR) solution capable of detecting Defender bypasses can enhance protection. In high-risk environments, running Defender in passive mode alongside an alternative real-time protection solution may be advisable. Enabling Defender tamper protection and auditing event logs for privileged service executions from user-writable paths can aid in detecting exploitation attempts. Organizations should prepare for out-of-band patches from Microsoft and maintain heightened vigilance for related threat activity.
References
About Rescana
Rescana stands at the forefront of Third-Party Risk Management (TPRM), offering organizations a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your organization’s cyber resilience, please contact us at ops@rescana.com.
