Microsoft Defender Zero-Days Exploited in Active Attacks, Warns Microsoft

May 22, 2026

Microsoft has released emergency security patches for two actively exploited zero-day vulnerabilities affecting Microsoft Defender. The flaws, which can allow attackers to gain SYSTEM-level privileges or trigger denial-of-service conditions, are already being used in real-world attacks, prompting urgent warnings from both Microsoft and CISA.

The vulnerabilities are tied to a broader wave of publicly disclosed Windows Defender exploits, including “BlueHammer,” “RedSun,” and “UnDefend,” which researchers say abuse Defender’s internal remediation and rollback mechanisms to escalate privileges on fully patched Windows systems.

What Happened?

On May 21, Microsoft began rolling out fixes for two Microsoft Defender vulnerabilities that were confirmed to be exploited in the wild before patches became available. The flaws impact Windows Defender Antivirus and related Defender components across Windows environments.

Security researchers previously warned that leaked proof-of-concept exploits targeting Defender were already circulating publicly and being weaponized by attackers. Huntress researchers also reported observing exploitation attempts in live environments earlier this year.

The attacks are believed to be linked to exploit chains publicly released by a researcher operating under aliases such as “Chaotic Eclipse” and “Nightmare-Eclipse.”

Vulnerability Details


Vulnerability

CVE ID

Severity

Impact

Status

Microsoft Defender Privilege Escalation

CVE-2026-41091

High (CVSS 7.8)

Allows attackers to gain SYSTEM privileges

Exploited in the wild

Microsoft Defender Denial-of-Service

CVE-2026-45498

Medium

Allows attackers to crash or disrupt Defender functionality

Exploited in the wild


How the Exploits Work

Researchers say the attacks abuse legitimate Windows features, including:

  • NTFS junction points

  • Opportunistic locks (oplocks)

  • Volume Shadow Copy Service (VSS)

  • Windows Cloud Files API

By chaining these mechanisms together, attackers can manipulate Defender’s remediation workflows and redirect privileged file operations to sensitive system locations such as C:\Windows\System32. This can ultimately result in SYSTEM-level code execution.

The “BlueHammer” exploit specifically abuses race conditions within Defender’s threat remediation engine, while “RedSun” targets Defender’s cloud file rollback mechanism.

Why This Matters

Microsoft Defender is the default security solution deployed on billions of Windows devices worldwide. Vulnerabilities inside Defender itself are particularly dangerous because successful exploitation can allow attackers to bypass or manipulate the very security product designed to stop them.

Security analysts warn that public proof-of-concept releases significantly reduce the time between vulnerability disclosure and active exploitation, increasing the risk for organizations that delay patching.

CISA has already added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog and urged federal agencies to apply patches immediately.

Affected Systems

The vulnerabilities affect multiple Windows platforms running vulnerable Microsoft Defender versions, including:

  • Windows 10

  • Windows 11

  • Windows Server 2016

  • Windows Server 2019

  • Windows Server 2022

  • Windows Server 2025

Recommended Mitigation Steps

Organizations should take the following actions immediately:

  1. Apply Microsoft’s latest security updates.

  2. Verify Microsoft Defender signatures and platform versions are fully updated.

  3. Monitor for abnormal Defender service behavior and unexpected SYSTEM-level processes.

  4. Restrict local privilege escalation opportunities wherever possible.

  5. Monitor for suspicious NTFS junctions, cloud file manipulation, or VSS abuse.

  6. Review endpoint telemetry for indicators tied to BlueHammer, RedSun, and UnDefend activity.

Final Thoughts

The latest Microsoft Defender zero-days highlight a growing trend where attackers increasingly target built-in security tools themselves. With publicly available exploit code already circulating and active exploitation confirmed, organizations should prioritize patch deployment and endpoint monitoring immediately.

As threat actors continue weaponizing privilege escalation chains against trusted security components, rapid detection and proactive defense remain critical to reducing enterprise risk.

Latest News

Google and FBI Disrupt NetNut Proxy Botnet, Cutting Off 2 Million Infected Android Devices

Google and FBI Disrupt NetNut Proxy Botnet, Cutting Off 2 Million Infected Android Devices

Google and FBI Disrupt NetNut Proxy Botnet, Cutting Off 2 Million Infected Android Devices

Google and FBI Disrupt NetNut Proxy Botnet, Cutting Off 2 Million Infected Android Devices

Google and FBI Disrupt NetNut Proxy Botnet, Cutting Off 2 Million Infected Android Devices

Jul 6, 2026

Cisco SD-WAN Zero-Day Under Active Attack: How Hackers Achieved Root Access

Cisco SD-WAN Zero-Day Under Active Attack: How Hackers Achieved Root Access

Cisco SD-WAN Zero-Day Under Active Attack: How Hackers Achieved Root Access

Cisco SD-WAN Zero-Day Under Active Attack: How Hackers Achieved Root Access

Cisco SD-WAN Zero-Day Under Active Attack: How Hackers Achieved Root Access

Jun 26, 2026

Klue OAuth Breach Expands as Icarus Hackers Claim Salesforce Data Theft

Klue OAuth Breach Expands as Icarus Hackers Claim Salesforce Data Theft

Klue OAuth Breach Expands as Icarus Hackers Claim Salesforce Data Theft

Klue OAuth Breach Expands as Icarus Hackers Claim Salesforce Data Theft

Klue OAuth Breach Expands as Icarus Hackers Claim Salesforce Data Theft

Jun 23, 2026

Rokarolla Android Banking Trojan Targets 217 Banking and Crypto Apps

Rokarolla Android Banking Trojan Targets 217 Banking and Crypto Apps

Rokarolla Android Banking Trojan Targets 217 Banking and Crypto Apps

Rokarolla Android Banking Trojan Targets 217 Banking and Crypto Apps

Rokarolla Android Banking Trojan Targets 217 Banking and Crypto Apps

Jun 17, 2026

Microsoft June 2026 Patch Tuesday Fixes 200 Vulnerabilities and 3 Zero-Days

Microsoft June 2026 Patch Tuesday Fixes 200 Vulnerabilities and 3 Zero-Days

Microsoft June 2026 Patch Tuesday Fixes 200 Vulnerabilities and 3 Zero-Days

Microsoft June 2026 Patch Tuesday Fixes 200 Vulnerabilities and 3 Zero-Days

Microsoft June 2026 Patch Tuesday Fixes 200 Vulnerabilities and 3 Zero-Days

Jun 10, 2026

ChatGPT Share Links Abused to Deliver Malware Through Fake OpenAI Outage Pages

ChatGPT Share Links Abused to Deliver Malware Through Fake OpenAI Outage Pages

ChatGPT Share Links Abused to Deliver Malware Through Fake OpenAI Outage Pages

ChatGPT Share Links Abused to Deliver Malware Through Fake OpenAI Outage Pages

Jun 3, 2026

Get updates in your inbox directly

You are now subscribed.

Get updates in your inbox directly

You are now subscribed.

Get updates in your

inbox directly

You are now subscribed.

Get updates in your inbox directly

You are now subscribed.

Enable your employees as first line of defense and expand your digital footprints without any fear.

Enable your employees as first line of defense and expand your digital footprints without any fear.

Enable your employees as first line of defense and expand your digital footprints without any fear.

Enable your employees as first line of defense and expand your digital footprints without any fear.