A security researcher has recently made headlines by unveiling two more zero-day exploits targeting Microsoft Defender, following the earlier release of a proof-of-concept (PoC) exploit for a privilege escalation vulnerability. This latest development raises concerns about the security of the widely used antivirus platform.

The first newly disclosed exploit is named “RedSun,” which is another privilege escalation flaw similar to the previously reported vulnerability. The second exploit, known as “UnDefend,” enables a standard user to prevent Microsoft Defender from receiving critical signature updates or even to disable the program entirely during significant updates pushed by Microsoft.

According to findings from Huntress researchers, all three of these exploitation techniques have been actively leveraged in the wild by at least one threat actor, highlighting the urgency for users to update their systems.

The New Exploits

The researcher, operating under the pseudonyms Chaotic Eclipse and Nightmare Eclipse, initially disclosed the BlueHammer PoC on April 3, after an unsuccessful attempt to report the vulnerability to the Microsoft Security Response Center. Following this, on April 14, Microsoft released security updates that addressed the previously reported vulnerability, which has been assigned the CVE-2026-33825 identifier. Notably, the researchers credited with reporting this vulnerability—Zen Dodd and Yuanpei Xu—are distinct from Nightmare Eclipse.

On April 16, the anonymous researcher published the new “RedSun” and “UnDefend” PoC exploits on the same GitHub repository, which remains accessible despite warnings from the Microsoft-owned platform. The effectiveness of the RedSun exploit has been confirmed by vulnerability analyst Will Dormann, adding to the seriousness of the situation.

Attacks in the Wild

Huntress researchers have reported that they observed the BlueHammer exploit being blocked by Windows Defender on April 10. Furthermore, on April 16, they noted the usage of the newly released “RedSun” and “UnDefend” PoCs. The exploits were reportedly dropped into users’ Pictures and Downloads folders, where they were renamed to evade detection. Prior to executing the exploits, the attacker ran commands to map user privileges, discover stored credentials, and analyze the Active Directory structure.

In response to these developments, Huntress has isolated the affected organization to prevent further exploitation. The onus now falls on Microsoft to address these vulnerabilities. With the next Patch Tuesday still weeks away, the expectation is that an out-of-band emergency patch will be necessary to mitigate these risks.

As the cybersecurity landscape continues to evolve, it is crucial for users to stay vigilant and ensure their systems are updated promptly. The emergence of these zero-day exploits serves as a stark reminder of the vulnerabilities that can exist within even the most trusted security software.

Stay informed about the latest breaches, vulnerabilities, and cybersecurity threats by signing up for our breaking news e-mail alerts.

Source: Help Net Security News