NewsSecurityDeveloper Tools

Microsoft Defender Zero-Days: What Developers Must Do Now

15 views0
Cracked Windows security shield representing Microsoft Defender zero-day vulnerabilities BlueHammer, RedSun, and UnDefend
ByteBotBy
Share

The tool running on 1.4 billion Windows machines to stop attackers became the attack surface. Three chained zero-days — BlueHammer, RedSun, and UnDefend — have been actively exploited in Microsoft Defender since April. CISA’s federal patch deadline is today, June 3. Check your engine version before you do anything else.

Three Exploits, One Chain

These aren’t three independent bugs. They’re a coordinated escalation chain, and security firm Huntress observed them used together in real intrusions starting April 10.

BlueHammer (CVE-2026-33825) is a local privilege escalation in Defender’s threat remediation engine. It exploits a time-of-check to time-of-use (TOCTOU) race condition: an attacker plants a file that triggers Defender’s real-time scanner, uses an oplock to pause the remediation at a critical moment, then swaps in an NTFS junction pointing to C:\Windows\System32. Defender’s cleanup routine writes to System32 instead of the temp directory. The result is SYSTEM-level access from a standard user account — no admin privileges required. A working proof-of-concept was published on April 7, before any patch existed. Exploitation followed three days later.

RedSun (CVE-2026-41091) works differently but achieves the same outcome. Defender’s cloud file rollback mechanism tries to restore cloud-tagged files to their original location without validating the target path. The attacker triggers a detection, replaces the file with a cloud placeholder via the Windows Cloud Files API, and redirects Defender’s privileged write to a system directory. CVSS 7.8. CISA added it to the Known Exploited Vulnerabilities catalog and set today as the federal remediation deadline.

UnDefend (CVE-2026-45498) doesn’t grant SYSTEM access. It does something more insidious: it makes subsequent attacker activity invisible. In passive mode, it blocks all signature updates silently. In aggressive mode, it disables Defender entirely when a major platform update is pushed. CVSS 4.0 — which sounds minor until you realize your antivirus is now functionally blind. Huntress found that after UnDefend ran, standard recon commands — whoami /priv, cmdkey /list, net group — did not trigger a single alert.

Check Your Version Now

Defender engine updates push through the AV definitions channel, not Windows Update — so they arrive faster than Patch Tuesday, but only if your machine can receive them. Run this in PowerShell:

Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion

You need engine 1.1.26040.8 or higher and platform 4.18.26040.7 or higher. If you’re below those versions, force an update:

# PowerShell
Update-MpSignature

# Command line (for scripting or CI runners)
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate

If UnDefend ran on your machine before patching, your signatures may already be stale — patching fixes the vulnerability but does not restore stalled updates. Run Update-MpSignature explicitly after patching regardless of what your current version shows.

Why Developer Machines Are Especially Exposed

Enterprise coverage assumes MDM enrollment and managed update policies. Developer machines frequently are not enrolled in MDM — especially at smaller companies or for personal dev rigs. No MDM policy means you’re relying on automatic updates that may have been disrupted.

Self-hosted CI/CD runners are the specific risk nobody’s talking about. Windows-based GitHub Actions runners and Azure DevOps agents running on-premises are Windows machines running Defender with often-stale definitions. They’re spun up once and left running — nobody checks the AV version on a build server. Compromise a CI/CD runner and you get secrets, signing keys, and cloud credentials.

None of this requires admin privileges to start. A low-privileged user — or a malicious CI/CD job — can trigger the chain.

The “Low Severity” Trap

Don’t let CVE-2026-45498’s CVSS score of 4.0 mislead you. CVSS scores the vulnerability in isolation; it does not model chained attack scenarios. UnDefend doesn’t grant privileges or exfiltrate data directly, so it scores low. But in this chain, it’s the step that converts a detectable intrusion into an undetectable one. Security tooling that can be blinded from a standard user account is not a low-impact issue regardless of what the score says.

This pattern keeps repeating. The Checkmarx Jenkins plugin backdoor last week, the Trivy supply chain compromise in March — in both cases, attackers didn’t bypass the security tool, they weaponized its own privileged mechanisms. The VulnCheck 2026 report noted exploitation timelines average 21 days from disclosure. BlueHammer took three.

What to Do Right Now

  1. Run the PowerShell check above on every Windows machine you own or manage
  2. Check Windows self-hosted CI/CD runners specifically — these are the most likely to be missed
  3. Run Update-MpSignature even on patched machines to restore stalled signature updates
  4. Check CISA’s KEV catalog for official remediation guidance on both CVEs

All three vulnerabilities are patched. There is no reason to still be exposed. But the Defender update channel and Windows Update are different mechanisms, and many machines that look fully updated are still running a vulnerable engine version. Check, don’t assume.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News