Microsoft has released emergency security patches for two actively exploited zero-day vulnerabilities affecting Microsoft Defender. The flaws, which can allow attackers to gain SYSTEM-level privileges or trigger denial-of-service conditions, are already being used in real-world attacks, prompting urgent warnings from both Microsoft and CISA.

The vulnerabilities are tied to a broader wave of publicly disclosed Windows Defender exploits, including “BlueHammer,” “RedSun,” and “UnDefend,” which researchers say abuse Defender’s internal remediation and rollback mechanisms to escalate privileges on fully patched Windows systems.

What Happened?

On May 21, Microsoft began rolling out fixes for two Microsoft Defender vulnerabilities that were confirmed to be exploited in the wild before patches became available. The flaws impact Windows Defender Antivirus and related Defender components across Windows environments.

Security researchers previously warned that leaked proof-of-concept exploits targeting Defender were already circulating publicly and being weaponized by attackers. Huntress researchers also reported observing exploitation attempts in live environments earlier this year.

The attacks are believed to be linked to exploit chains publicly released by a researcher operating under aliases such as “Chaotic Eclipse” and “Nightmare-Eclipse.”

Vulnerability Details

How the Exploits Work

Researchers say the attacks abuse legitimate Windows features, including:

• NTFS junction points

• Opportunistic locks (oplocks)

• Volume Shadow Copy Service (VSS)

• Windows Cloud Files API

By chaining these mechanisms together, attackers can manipulate Defender’s remediation workflows and redirect privileged file operations to sensitive system locations such as C:\Windows\System32. This can ultimately result in SYSTEM-level code execution.

The “BlueHammer” exploit specifically abuses race conditions within Defender’s threat remediation engine, while “RedSun” targets Defender’s cloud file rollback mechanism.

Why This Matters

Microsoft Defender is the default security solution deployed on billions of Windows devices worldwide. Vulnerabilities inside Defender itself are particularly dangerous because successful exploitation can allow attackers to bypass or manipulate the very security product designed to stop them.

Security analysts warn that public proof-of-concept releases significantly reduce the time between vulnerability disclosure and active exploitation, increasing the risk for organizations that delay patching.

CISA has already added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog and urged federal agencies to apply patches immediately.

Affected Systems

The vulnerabilities affect multiple Windows platforms running vulnerable Microsoft Defender versions, including:

• Windows 10

• Windows 11

• Windows Server 2016

• Windows Server 2019

• Windows Server 2022

• Windows Server 2025

Recommended Mitigation Steps

Organizations should take the following actions immediately:

1. Apply Microsoft’s latest security updates.

2. Verify Microsoft Defender signatures and platform versions are fully updated.

3. Monitor for abnormal Defender service behavior and unexpected SYSTEM-level processes.

4. Restrict local privilege escalation opportunities wherever possible.

5. Monitor for suspicious NTFS junctions, cloud file manipulation, or VSS abuse.

6. Review endpoint telemetry for indicators tied to BlueHammer, RedSun, and UnDefend activity.

Final Thoughts

The latest Microsoft Defender zero-days highlight a growing trend where attackers increasingly target built-in security tools themselves. With publicly available exploit code already circulating and active exploitation confirmed, organizations should prioritize patch deployment and endpoint monitoring immediately.

As threat actors continue weaponizing privilege escalation chains against trusted security components, rapid detection and proactive defense remain critical to reducing enterprise risk.