In a worrying development for cybersecurity, a security researcher has revealed two additional zero-day vulnerabilities in Microsoft Defender, following the earlier disclosure of a privilege escalation flaw. This brings the total to three known vulnerabilities that are currently being exploited by malicious actors.

The newly disclosed vulnerabilities, identified as “RedSun” and “UnDefend,” target the same platform as the initial flaw. The “RedSun” vulnerability is yet another privilege escalation issue, while “UnDefend” provides standard users with the capability to prevent Microsoft Defender from receiving critical signature updates, or even to disable the software entirely during significant updates.

According to research conducted by Huntress, all three vulnerabilities have been actively exploited in the wild by at least one known threat actor, amplifying the urgency for users to take protective measures.

The New Exploits

The researcher, operating under the pseudonyms Chaotic Eclipse and Nightmare Eclipse, initially released a proof-of-concept (PoC) exploit for the original vulnerability on April 3. This release followed an unsuccessful disclosure attempt with the Microsoft Security Response Center. On April 14, Microsoft issued a security update that addressed the first vulnerability, which has been assigned the CVE-2026-33825 identifier. Notably, the researchers credited with reporting this vulnerability—Zen Dodd and Yuanpei Xu—are separate from the anonymous researcher behind the recent disclosures.

On April 16, the anonymous researcher published the “RedSun” and “UnDefend” PoC exploits to the same GitHub repository that initially hosted the “BlueHammer” exploit. Despite a warning from Microsoft about the repository, it remains accessible to the public. Vulnerability analyst Will Dormann has confirmed the effectiveness of the “RedSun” PoC, raising concerns about the potential for widespread exploitation.

Attacks Observed in the Wild

Recent observations by Huntress researchers indicate that the “BlueHammer” exploit was blocked by Windows Defender on April 10. Further surveillance revealed that the “RedSun” and “UnDefend” PoCs were also being utilized in the wild by April 16. Attackers reportedly deploy the exploit files by placing them in the user’s Pictures and Downloads folders, renaming them to obscure their true nature. Before executing the exploits, they perform reconnaissance by mapping out user privileges, uncovering stored credentials, and analyzing the Active Directory structure.

“Huntress has isolated the affected organization to prevent further post-exploitation activities,” the researchers noted, highlighting the proactive measures taken to mitigate the impact of these vulnerabilities.

As the situation evolves, the onus is now on Microsoft to respond. The next scheduled Patch Tuesday is several weeks away, leading many to speculate that an out-of-band emergency patch may be necessary to address these critical vulnerabilities sooner.

In conclusion, the emergence of these new exploits underscores the persistent and evolving threats facing users of Microsoft Defender. Organizations are urged to stay vigilant and consider implementing additional security measures to safeguard their systems against these vulnerabilities. As the cybersecurity landscape continues to shift, timely updates and proactive defenses will be crucial in mitigating risks.

Source: Help Net Security News