A security researcher has recently revealed two additional zero-day vulnerabilities in Microsoft Defender, following the earlier disclosure of a privilege escalation exploit. The implications of these vulnerabilities are significant, as they are reportedly being exploited by threat actors in the wild.

Details of the New Exploits

The first of the newly disclosed exploits, named "RedSun," represents another privilege escalation flaw within the Microsoft Defender platform. The second exploit, known as "UnDefend," empowers a standard user to prevent Microsoft Defender from receiving crucial signature updates or even to disable the software entirely during major updates pushed by Microsoft.

According to cybersecurity experts from Huntress, all three techniques for exploitation have been confirmed to be actively used by at least one threat actor in real-world attacks. The researcher behind these disclosures, using the pseudonyms Chaotic Eclipse and Nightmare Eclipse, originally published a proof-of-concept (PoC) exploit for a zero-day privilege escalation vulnerability on April 3, claiming that their attempts at disclosure to the Microsoft Security Response Center were unproductive.

Timeline of Events

On April 14, Microsoft released security updates to address the previously reported vulnerability, which has been assigned the CVE-2026-33825 identifier. Notably, the researchers credited with reporting this vulnerability are Zen Dodd and Yuanpei Xu, distinct from Nightmare Eclipse.

Subsequently, on April 16, the anonymous researcher published the "RedSun" and "UnDefend" PoC exploits to a GitHub repository. Despite warnings from Microsoft regarding the repository, it remains accessible to the public. The efficacy of the RedSun PoC has been verified by vulnerability analyst Will Dormann, raising alarms about its potential impact.

Real-World Exploitation

Cybersecurity researchers at Huntress have reported observing the BlueHammer exploit being successfully blocked by Windows Defender on April 10. However, just a few days later, on April 16, they noted that the "RedSun" and "UnDefend" PoCs were deployed in the wild. In these attacks, the perpetrators dropped the exploit files into users' Pictures and Downloads folders, cleverly renaming them to avoid detection.

Before executing these exploits, attackers conducted reconnaissance to map out user privileges, uncover stored credentials, and analyze the structure of the Active Directory. This methodical approach illustrates a sophisticated level of planning and execution.

In response to these threats, Huntress has taken steps to isolate the affected organizations to prevent further exploitation. The situation now places the onus on Microsoft to respond effectively. With the next scheduled Patch Tuesday several weeks away, the community anticipates the need for an out-of-band emergency patch to address these vulnerabilities promptly.

As the cybersecurity landscape evolves, the importance of staying informed about such vulnerabilities cannot be overstated. Organizations are encouraged to monitor their systems closely and apply any necessary patches as soon as they become available.

Source: Help Net Security News