Windows Defender is the attack surface now, and two of the three exploits don't have patches

If your endpoint security strategy is “we run Defender,” you now have three public exploit tools that use Defender’s own privileged operations to steal credentials, overwrite system binaries, and degrade detection. Microsoft patched one of them on April 14. The other two work on fully patched systems today. No CVE assigned. No patch timeline.

The uncomfortable math: patching BlueHammer (CVE-2026-33825) is necessary, but it leaves two-thirds of the problem untouched. And the two unpatched tools don’t require new vulnerabilities. They require Defender to be running and doing its job.

What happened

A researcher operating under the handle “Nightmare-Eclipse” published BlueHammer on GitHub in early April with no prior disclosure to Microsoft. First confirmed exploitation in the wild followed within a week, on April 10. Microsoft’s patch landed April 14 via Patch Tuesday. Two days later, on April 16, the same researcher dropped RedSun and UnDefend. That timing looks deliberate. CISA added BlueHammer to the KEV catalog on April 22, with a federal agency remediation deadline of May 6.

On April 16, Huntress observed all three tools deployed in a single intrusion chain: FortiGate VPN credential compromise as initial access, BlueHammer for SYSTEM escalation, RedSun and UnDefend deployed alongside. Huntress documented the attempt but not confirmed success of all three in that specific intrusion. The tools were staged in the Pictures folder using two-letter subdirectory names, followed by a C2 relay called BeigeBurrow.

How they work

BlueHammer steals SYSTEM credentials without kernel exploits

CVE-2026-33825 exploits a TOCTOU race condition in how MpSigStub.exe handles signature update file paths. The SYSTEM process validates the path security context once, then proceeds with the I/O transaction. That single upfront check creates a timing gap.

The exploit chains four primitives: an opportunistic lock freezes the SYSTEM thread between validation and read, an NTFS junction swap redirects the path, an Object Manager symbolic link points it at the SAM hive on a Volume Shadow Copy, and the release lets Defender follow the new path. Result: credential extraction at SYSTEM. Preconditions are low. Local user account, execution from user-writable directories, and the “Create symbolic links” right, which is granted to standard users by default.

Patched. Platform version 4.18.26030.3011 or later (KB5083769/KB5082200).

RedSun hijacks Defender’s own remediation to overwrite system binaries

This is the one that should keep you up at night. Vectra’s analysis is blunt: RedSun “does not require a new vulnerability. It requires Defender to be running and doing its job.”

The mechanic: bait real-time protection with an EICAR test string. Defender initiates cloud file restoration via TieringEngineService.exe. During restoration, a temporary DACL is applied as a SYSTEM-privileged write. RedSun redirects via mount point and oplocks. Defender follows the redirected path and writes to System32 with SYSTEM privileges.

Confirmed working on fully patched Windows 10, 11, and Server 2019+ after the April Patch Tuesday. No CVE. No patch. No remediation timeline from Microsoft.

UnDefend silently degrades detection

UnDefend watches the Definition Updates directory and races to lock definition files before Defender can load them. It requires continuous execution, so it’s not a permanent corruption, but for the duration of a hands-on-keyboard intrusion, it means Defender is running with degraded or absent definitions. The attacker’s subsequent actions are less likely to trigger alerts.

Also unpatched. Also no CVE.

Why this is structural, not incidental

This is not the first time endpoint security tooling became a privilege escalation vector. CVE-2021-24092 was a path-confusion bug in Defender’s BTR.sys that survived 12 years (2009 to 2021), structurally identical to BlueHammer’s approach. AvosLocker and Cuba ransomware groups weaponized Avast drivers across a six-year exposure window. The Terminator tool turned Zemana drivers into a commodity service. ToddyCat exploited an ESET DLL hijack to run inside the AV process itself.

The pattern is consistent: endpoint security products operate with the highest privileges on the system, perform complex file operations as SYSTEM, and ship update mechanisms that are difficult to harden without breaking the product. Every one of those properties is an attacker advantage when the trust boundary fails.

Microsoft holds 28.6% of the worldwide endpoint market according to IDC’s 2024 numbers. They’ve been Gartner’s Leader pick six consecutive years. That market position means these three tools don’t just affect organizations that chose Defender. They affect organizations that inherited Defender because Windows ships with it and nobody made a different decision.

What doesn’t help

VBS/HVCI does not specifically block BlueHammer. It’s a user-space race condition, not kernel code injection. Vectra’s technical analysis doesn’t mention VBS/HVCI as a mitigation.

Credential Guard limits the downstream value of stolen credentials, but it doesn’t stop the exploit from executing. You still have SYSTEM-level access; the loot is just less portable.

Waiting for a patch works for BlueHammer. It does not work for RedSun or UnDefend. Whether Microsoft assigns CVEs at the May 12 Patch Tuesday remains unknown.

What actually helps

Patch BlueHammer immediately if you haven’t already. Platform version 4.18.26030.3011+. CISA’s FCEB deadline is May 6.

Block execution from user-writable directories. WDAC or AppLocker policies that prevent code execution from locations like Pictures, Downloads, and Temp folders would have stopped the observed attack chain at the staging step.

Deploy detection rules for the known tooling. The community repository at technoherder/BlueHammerFix on GitHub includes four YARA rules and seven Sigma rules. Known indicators include the “SERIOUSLYMSFT” provider string and process names UnDefend.exe, FunnyApp.exe, and RedSun.exe.

Do not rely on Defender alone. This is the structural takeaway. If a single product’s own operations can be weaponized for escalation and its own detection can be degraded by locking files it needs to read, you need an independent detection layer. NIST CSF 2.0 and PCI-DSS 4.0 both point toward this requirement. Whether your auditor enforces it is a separate question from whether it’s the right architecture.

Every confirmed case started with VPN credential compromise without MFA. The endpoint exploit chain is lethal, but it still needed initial access. MFA on your VPN concentrators is the control that would have prevented these intrusions from reaching the point where BlueHammer mattered.

The disclosure question

The researcher cited “increasingly burdensome submission requirements, including mandatory video proof of exploitation” as the reason for dropping publicly without coordinated disclosure. Microsoft’s response was the standard line: they “support coordinated vulnerability disclosure.”

I don’t know whether the disclosure process is genuinely too burdensome or whether this was a frustrated researcher making a point. What I do know is the result: seven days of in-the-wild exploitation before the patch, and two tools still burning with no remediation path. The process debate is worth having, but the sysadmin deploying at 2 AM doesn’t get to wait for that debate to resolve.

The close

Defender isn’t broken. It’s doing exactly what it was designed to do: operating with high privileges, performing complex file operations, and trusting its own update and remediation paths. The problem is that those same properties, the ones that make it effective, are the ones being exploited. And for two of the three tools, “wait for the patch” isn’t an option today.

PatchDay Alert tracks exploit status, patch availability, and the specific version numbers that matter for CVEs like this one, delivered daily before your first ticket.