The cybersecurity landscape just got a bit more tense. A recent advisory highlights that multiple zero-day vulnerabilities in Microsoft Windows Defender are now being actively exploited in the wild. And while the situation hasn't resulted in widespread system compromise yet, it's serious enough to put both enterprises and individual users on alert.
A Growing Concern in the Security Community
What makes this situation particularly worrying is how these vulnerabilities surfaced. The exploit techniques were not developed in secret — they were pulled from publicly available proof-of-concept code shared on platforms like GitHub.
In other words, the barrier to entry for attackers is lower than usual.
Three vulnerabilities are currently in focus:
• RedSun
• UnDefend
Out of these, only one has been patched so far, leaving the others still exposed.
Breaking Down the Three Threats BlueHammer: Privilege Escalation via File Manipulation
BlueHammer, officially tracked as CVE-2026-33825, is a high-severity vulnerability that allows attackers to escalate privileges to SYSTEM level.
At its core, the issue lies in how Windows Defender handles file operations during malware cleanup. Attackers can manipulate file paths at just the right moment, tricking Defender into writing malicious content into protected system directories like C:\Windows\System32.
The result?
An attacker can overwrite legitimate system files and gain full control of the system — all without needing initial elevated privileges.
RedSun: Exploiting Cloud File Handling Weaknesses
RedSun takes a slightly different approach but leads to a similar outcome.
This vulnerability targets how Defender restores files linked to cloud storage attributes. By abusing missing validation checks, attackers can redirect file operations to sensitive system locations.
Using techniques like NTFS junctions and opportunistic locks, they can again force Defender to write malicious files into protected directories.
And just like BlueHammer, this can result in SYSTEM-level code execution — a worst-case scenario for any environment.
UnDefend: Disabling Protection Entirely
Unlike the other two, UnDefend isn't about gaining higher privileges — it's about removing protection altogether.
This vulnerability operates in two modes:
• Aggressive mode can completely disable Defender during major updates
In either case, the end result is the same: your system becomes significantly more vulnerable to attack.
Real-World Exploitation: What Actually Happened
Interestingly, while these vulnerabilities are being actively targeted, reports indicate that none of the observed attacks successfully completed their full exploitation chain.
For example:
• BlueHammer didn't manage to extract sensitive credentials
• UnDefend was detected and stopped before causing damage
However, that doesn't mean systems were safe.
Attackers still managed to gain initial access using compromised SSL VPN credentials, followed by deploying a tunnelling tool called BeigeBurrow to maintain access and explore the network.
This highlights an important point — even if one exploit fails, attackers often have multiple ways in.
Who Is Affected?
The vulnerabilities impact a wide range of Microsoft systems where Defender is active:
• Windows 11
• Windows Server 2016 through 2025
• Systems using components like
cldapi.dllIn short, this isn't limited to niche environments — it potentially affects a large portion of users and organizations.
What You Should Do Right Now
With two of the vulnerabilities still unpatched, mitigation becomes critical.
Here are some immediate steps recommended:
• Monitor suspicious files in user directories like Downloads and Pictures
• Watch for unusual Defender behaviour, especially failed updates
• Restrict NTFS junction point creation via group policies
• Review VPN access logs for unauthorized logins
• Consider adding additional endpoint protection beyond Defender
These are practical, defensive steps that can reduce your exposure while waiting for full patches.
Indicators of Compromise to Watch For
The advisory also highlights several warning signs that could indicate suspicious activity.
These include:
• Defender detection alerts tied to unusual binaries
• Suspicious tunnelling activity (e.g., outbound connections to unknown domains)
• Unusual VPN access from foreign IP addresses
For example, the report mentions activity linked to IP addresses from Russia, Singapore, and Switzerland, as well as a tunnelling agent communicating with an external domain.
Final Thoughts
This situation is a classic reminder that cybersecurity is never static. Even core security tools like Windows Defender can become targets themselves.
The good news? The observed attacks haven't fully succeeded — yet.
The bad news? The vulnerabilities are real, publicly known, and actively being tested in live environments.
That means staying proactive is key.
Update what you can, monitor closely, and don't rely on a single layer of defence. Because in cases like this, it's not about if attackers will try — it's about when.
Comments