Microsoft Patches Two Actively Exploited Defender Zero-Days — UnDefend and RedSun Were Built to Disable the Security Tool Itself

Two Microsoft Defender zero-days — UnDefend and RedSun — were being exploited in the wild before today's patch landed, and their entire purpose is to attack the security tool itself: one escalates through Defender, the other progressively disables it. Barracuda ties the broader Defender exploit wave to the researcher behind MiniPlasma and YellowKey — an assessment, not a vendor-confirmed attribution, but a striking one if it holds.

REDMOND, WASHINGTON — On May 21, 2026, Microsoft patched two actively exploited Microsoft Defender zero-day vulnerabilities — CVE-2026-41091, the flaw weaponized by the UnDefend exploit, and CVE-2026-45498, weaponized by RedSun. CVE-2026-41091, rated CVSS 7.8, is a link-following flaw in the Microsoft Malware Protection Engine that improperly resolves links before accessing files, letting a local attacker escalate to SYSTEM privileges. Both flaws were confirmed exploited in the wild — incident-response firm Huntress observed RedSun and UnDefend proof-of-concept exploits in use since April 16, 2026 — and CISA added both CVEs to its Known Exploited Vulnerabilities catalog. Microsoft fixed them in Defender Antimalware Platform version 4.18.26040.7. UnDefend and RedSun are two of three Defender exploits — alongside BlueHammer (CVE-2026-33825), patched April 14 — that researchers describe as a 'layered degradation strategy': attackers escalate to SYSTEM with BlueHammer or RedSun, then deploy UnDefend to progressively disable Defender's protection. Barracuda's research ties the broader Defender exploit wave to a researcher operating as Nightmare-Eclipse, also known as Chaotic Eclipse — the same name behind MiniPlasma and YellowKey — though that attribution is Barracuda's assessment, not a vendor confirmation.

What Happened

UnDefend, RedSun, and the 'Attack the Security Tool' Logic

What sets these two zero-days apart is their target: Microsoft Defender itself. CVE-2026-41091 — the flaw the UnDefend exploit weaponizes — is a link-following vulnerability in the Microsoft Malware Protection Engine, the scanning core of Defender. The engine improperly resolves links before accessing files, and a local attacker who exploits that can escalate to SYSTEM, the highest Windows privilege level. UnDefend's role in the chain is to disrupt Defender's update mechanism and progressively weaken its protection. CVE-2026-45498 — weaponized by RedSun — is a privilege-escalation flaw that abuses Defender's handling of cloud-tagged files to overwrite system paths. Vectra AI describes the two, together with the earlier BlueHammer flaw, as a 'layered degradation strategy': escalate to SYSTEM with BlueHammer or RedSun, then run UnDefend to quietly turn down the endpoint protection. The endpoint-security product becomes the intrusion vector.

Confirmed Exploited Before the Patch

Both flaws were exploited in the wild before Microsoft's May 21 fix. Incident-response firm Huntress reported observing the BlueHammer, RedSun, and UnDefend exploits in active use — BlueHammer since April 10, 2026, and RedSun and UnDefend proof-of-concept exploits since April 16. CISA added CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities catalog, the federal government's confirmation that a flaw is being used in real attacks. Microsoft fixed all three current Defender flaws — UnDefend, RedSun, and a separate remote-code-execution bug, CVE-2026-45584 — in Defender Antimalware Platform version 4.18.26040.7. Defender platform updates usually apply automatically, but a flaw whose exploit specifically disrupts Defender's update mechanism is a reason to verify, not assume.

The Nightmare-Eclipse Thread — Barracuda's Assessment

Barracuda published research under a pointed title: 'Nightmare-Eclipse: six zero-days, six weeks and one big grudge.' It groups a six-zero-day wave against Windows and Defender under a single researcher operating as Nightmare-Eclipse, also known as Chaotic Eclipse — the same name attached to MiniPlasma, the cldflt.sys SYSTEM-escalation zero-day, and YellowKey, the BitLocker bypass. If the framing holds, it describes one researcher producing six Windows zero-days in six weeks. The CyberSignal is reporting this as exactly what it is: Barracuda's analysis. Microsoft and the original April reporting on the Defender zero-days did not name a researcher, the identity behind the alias is unknown, and the 'grudge' motive is Barracuda's characterization. The thread is worth tracking — but it is an assessment, not a confirmed attribution.

Scope and Impact

Several things are not confirmed. Huntress observed exploitation but has not attributed it to a specific named threat actor, so the operators behind the in-the-wild RedSun and UnDefend use are unknown, as is the total victim count. It is not stated whether CVE-2026-45584, the third Defender flaw, was exploited or patched proactively. And the Nightmare-Eclipse six-zero-day grouping is Barracuda's assessment. What is not in dispute is the pressure: this is the same alias attached to MiniPlasma, the SYSTEM exploit that revealed a 2020 Microsoft patch had silently regressed, and to the YellowKey BitLocker bypass The CyberSignal covered this week. It arrives in a cycle where Microsoft's own MDASH AI found 16 Patch Tuesday bugs while Palo Alto found 75 in one scan — Windows security is being probed, by tooling and by researchers, faster than the patch pipeline closes the findings.

The deeper issue is structural. An endpoint-protection product is, by design, a highly privileged process that touches every file on the system — which makes it an exceptionally valuable thing to compromise. UnDefend exists to turn Defender's protection down; RedSun exists to escalate through it. A defender whose primary endpoint control is Microsoft Defender, and whose Defender silently degraded sometime after April 16, may have been running blind without an alert ever firing. The CyberSignal has tracked adjacent Defender and Windows-control failures through the Defender signature update that quarantined DigiCert root certificates worldwide and APT28's incompletely-patched Windows zero-day that left a zero-click hole open. The recurring lesson is that the security stack is not exempt from the threat model — it is increasingly the target of it.

Response and Attribution

For Windows-enterprise endpoint teams, the immediate action is verification, not assumption: confirm Microsoft Defender is updated to Antimalware Platform version 4.18.26040.7 or later across the entire fleet. Because UnDefend's exploit specifically disrupts Defender's update mechanism, the usual 'updates are automatic' assurance is exactly what cannot be trusted here. Any endpoint where Defender protection silently degraded, or where platform updates failed, in the April 16 to May 21 window should be treated as a potential UnDefend compromise and investigated. Hunt for the exploitation chain: SYSTEM-context processes spawned from interactive sessions, anomalous Defender service-state changes, and unexpected Malware Protection Engine link-resolution behavior. Pull the Huntress and Picus Security indicator sets for the three-exploit chain.

For SOC teams, the structural takeaway is that Defender's own health state is now a security signal — protection downgrades, update failures, and tamper events should generate alerts, not just log entries. The 'layered degradation' sequence (escalation followed by protection-weakening) is a high-fidelity intrusion pattern worth building detection around, and it sits alongside the broader Windows privilege-escalation research The CyberSignal has documented in pieces like the PhantomRPC RPC-escalation technique. For CISOs, the Defender zero-day wave is a concrete argument for defense-in-depth: a single endpoint-protection product becoming the attack vector is the exact failure mode that layered EDR or XDR is meant to survive. The board-level reframing is blunt — 'Defender is running' can no longer be treated as equivalent to 'the endpoint is protected.'

The CyberSignal Analysis

Signal 01 — The Endpoint-Protection Product Is Now an Attack Surface

The defining feature of UnDefend and RedSun is not their severity scores; it is their target. These exploits do not route around Microsoft Defender — they go through it and against it. UnDefend's job is to disable the protection; RedSun's is to escalate using it. For most organizations, Defender is the security control, the thing assumed to be watching. An exploit that quietly degrades it inverts that assumption: the tool the SOC trusts to raise the alarm becomes the thing the attacker silences first. Defender's own telemetry — its update status, its protection state, its tamper events — has to be promoted from background noise to a monitored security signal. If the endpoint protection can be turned off without anyone noticing, then no one was protected and no one knew.

Signal 02 — Treat the Nightmare-Eclipse Attribution as a Lead, Not a Fact

Barracuda's framing — one researcher, six Windows zero-days, six weeks — is a compelling story, and if it holds it is the most important Windows-security narrative of the cycle. But it is an assessment. Microsoft has not named a researcher; the April Defender-zero-day reporting did not either; the identity behind 'Nightmare-Eclipse' is unknown; and the 'grudge' is Barracuda's read of motive. The CyberSignal is flagging the Nightmare-Eclipse cluster as a developing story worth watching precisely because the pattern — the same alias attached to MiniPlasma and YellowKey — is striking. The discipline is to hold it as a lead. Sustained, concentrated zero-day pressure on Windows is real and observable regardless of whether one alias explains all of it; the single-author explanation is the part that still needs corroboration.

Signal 03 — Defense-in-Depth Is the Answer to a Compromised Control

The Defender zero-day wave is, in the end, an argument that has been made for years and is now concretely demonstrated: no single security control should be load-bearing on its own. An organization that runs Defender as its sole endpoint protection, with no independent EDR or XDR layer cross-checking it, has exactly one thing standing between an intrusion and a clean getaway — and UnDefend is purpose-built to remove that one thing. Layered detection means a degraded Defender is caught by something else; an unlayered estate means a degraded Defender is caught by no one. CISOs should re-baseline the assumption set after this cycle: endpoint protection is necessary but not sufficient, its health must be independently monitored, and the security stack belongs inside the threat model, not above it.

Sources