heise PlusAbo
Anzeige

Unpatched Windows zero-days RedSun, UnDefend, and BlueHammer are being attacked

The zero-day vulnerabilities in Windows Defender named BlueHammer, RedSun, and UnDefend are apparently being attacked.

listen Print view
Highly distorted image of a finger on a keyboard, with a digital exclamation mark in the foreground

(Image: janews/Shutterstock.com)

2 min. read
Security
By

IT security researchers are reporting internet attacks on the partly unpatched security vulnerabilities BlueHammer, RedSun, and UnDefend. These affect Windows Defender and allow, for example, the escalation of privileges to administrator or even system level.

Despite the current patch status at the time of reporting, the RedSun exploit, for example, still works.

(Image: heise medien / Christopher Kunz)

First attacks on the BlueHammer vulnerability apparently occurred as early as Friday, April 10, according to a brief analysis by HuntressLabs on X. The vulnerability became known shortly before the preceding weekend and impacts the Windows Defender update process. At least, Microsoft fixed the vulnerability with entry CVE-2026-33825 on last week's patch day, and Defender has also received detections for the known exploits.

It's a different story with RedSun and UnDefend. The analysts at HuntressLabs report on X that all three vulnerabilities are being attacked. However, hotfixes for RedSun and UnDefend are not yet available, and they can still be exploited at the time of reporting.

Privilege Escalation and Update Blockade

All three zero days were published by the user with the handle “Nightmare-Eclipse” on GitHub. RedSun hides an attack that writes a file using the “Cloud Files API,” subsequently wins a race condition with Windows shadow copies, and thereby can place executable files in the Windows system directory. This allows SYSTEM privileges to be obtained.

The “UnDefend” zero-day vulnerability received somewhat less attention. It allows attackers with ordinary privileges on the system to disable Windows Defender. In passive mode, the exploit prevents Defender from detecting and installing new updates. This prevents Defender from protecting against new threats. In aggressive mode, UnDefend attempts to completely disable Windows Defender. However, this only works if Microsoft distributes a major platform update that replaces the central component MsMpEng.exe and other binaries. At the same time, “Nightmare-Eclipse” has found a method by which the EDR (Endpoint Detection and Response) console still reports that Windows Defender is running and up to date; however, he considers this too dangerous, so the code is (not yet) public.

Videos by heise

It is unclear how widespread the observed attacks are. For now, one can only hope that Microsoft will also fix the vulnerabilities soon.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten