Back to threat alerts

Microsoft Defender Vulnerability Suite (CVE-2026-33825, RedSun, UnDefend)

The April 2026 security landscape was effectively upended by a researcher known as "Nightmare-Eclipse". Driven by a public grievance with Microsoft’s Security Response Center (MSRC) over their vulnerability disclosure process, the researcher released a triad of weaponised zero-day exploits on GitHub. These tools ( BlueHammer, RedSun, and UnDefend ) turned the operating system’s primary defence mechanism into its greatest vulnerability. While Microsoft addressed BlueHammer in its April 2026 Patch Tuesday update, RedSun and UnDefend remain critically unpatched and are actively being exploited in the wild.

Threat alert
April 17, 2026

Each exploit in this suite manipulates a different legitimate Windows subsystem to achieve either Local Privilege Escalation (LPE) or a Denial of Service (DoS) against the antivirus engine.

BlueHammer (CVE-2026-33825): The SAM Stealer

BlueHammer is a masterclass in exploiting timing via a Time-of-Check to Time-of-Use (TOCTOU) race condition. It targets the intersection of the Volume Shadow Copy Service (VSS) and Defender’s remediation engine.

  • The Logic: When Defender inspects a file, it creates a temporary VSS snapshot to do so safely.
  • The Attack: The exploit uses Opportunistic Locks (Oplocks) and the Cloud Files API to "pause" Defender mid-remediation. During this microscopic pause, the attacker traverses the unprotected VSS snapshot to steal the SAM database, which contains local NTLM password hashes.
  • The Result: The attacker resets the admin password, elevates to SYSTEM, and restores the original hash to cover their tracks—all in under 60 seconds without crashing the system.


RedSun: The Binary Overwriter

RedSun (currently unpatched) exploits cldapi.dll (the Windows Cloud Files API) to trick Defender into doing the attacker's dirty work.

  • The Logic: Defender is programmed to automatically "restore" cloud-placeholder files if they are flagged as malicious.
  • The Attack: The attacker drops a file containing an EICAR test string (which guarantees an antivirus detection) but flags it as a cloud placeholder. While Defender pauses to restore it, the attacker creates an NTFS Junction (a symbolic link) pointing directly to C:\Windows\System32\TieringEngineService.exe.
  • The Result: Defender blindly follows the link and overwrites a critical system binary with the attacker's payload. Because Defender operates as SYSTEM, the attacker gains full machine takeover.

UnDefend: The Blindness Generator

Unlike the others, UnDefend is a DoS tool that sabotages Defender’s update pipeline rather than escalating privileges.

  • The Logic: It can be run by an unprivileged user to block the reception of new virus definitions, operating in either a "passive" or "aggressive" mode to throttle or completely sever the update mechanism.
  • The Result: The Defender user interface looks green and healthy, but the engine is actually "blind" to new threats. This creates a perfect environment for long-term attacker persistence because the antivirus stops recognising new malware variants.

Attack Chain:

  • Initial: Attackers frequently gain their initial foothold by purchasing compromised SSLVPN credentials from Initial Access Brokers (IABs).
  • Reconnaissance: Once gaining access as a standard user, they manually run discovery commands (like whoami /priv, cmdkey /list, and net group) to map the network and assess their privilege level.
  • Local Elevation: If the environment is unpatched, they deploy BlueHammer or RedSun to jump from a limited "User" shell to "SYSTEM" in seconds, bypassing the need for complex network evasion.

Recommendations

Because these vulnerabilities manipulate legitimate architectural features standard updating isn't enough. Organisations must harden the attack surface directly:

  • Strict Application Control: Transition Windows Defender Application Control (WDAC) or AppLocker to Enforcement Mode. This stops the exploit binaries from executing out of user-writable %TEMP% or Downloads folders before they can even initiate a race condition.
  • Accelerated Signatures: Force Defender signature updates every 4–8 hours to minimize the "window of viability" for UnDefend.
  • Tamper Protection: Universally enforce Tamper Protection to prevent registry-based manipulation of Defender’s engine or manual definition rollbacks.
  • Zero-Trust VPNs: Move away from legacy SSLVPNs. Implement phishing-resistant MFA (such as FIDO2 or number-matching authenticator apps) to kill the initial access vector.