Three Microsoft Defender Zero-Days Actively Exploited — BlueHammer, RedSun & UnDefend
Three critical zero-day vulnerabilities in Microsoft Defender have been discovered and are actively exploited in coordinated attacks against enterprise networks. Security researchers have named the vulnerabilities BlueHammer, RedSun, and UnDefend. All three allow attackers to disable Defender protections, evade detection, and achieve SYSTEM-level code execution.
The Three Vulnerabilities
BlueHammer — CVE-2026-29841 (CVSS 9.3)
A memory corruption vulnerability in Microsoft Defender’s real-time protection engine. Attackers send specially crafted files that trigger a heap overflow when scanned, allowing code execution in the context of the Defender service (SYSTEM).
RedSun — CVE-2026-29842 (CVSS 8.8)
A logic flaw in Defender’s cloud-delivered protection feature. Allows an authenticated local user to create a condition that causes Defender to permanently disable real-time protection, with the change persisting across reboots.
UnDefend — CVE-2026-29843 (CVSS 7.5)
A detection bypass using manipulated PE header fields that Defender’s signature engine ignores. Allows any known malware to be repackaged and run undetected on fully-patched systems with up-to-date definitions.
Attack Chain Observed in the Wild
Threat actors are chaining all three vulnerabilities in a single attack sequence:
- Use RedSun to disable real-time protection
- Use UnDefend to run obfuscated payload without triggering definitions
- Use BlueHammer to escalate to SYSTEM and establish persistence
Immediate Mitigations
# Check Defender status
Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled, AntivirusEnabled
# Force definition update
Update-MpSignature -UpdateSource MicrosoftUpdateServer
# Enable tamper protection via PowerShell (requires admin)
Set-MpPreference -DisableTamperProtection $false
# Check if tamper protection is on
Get-MpComputerStatus | Select-Object IsTamperProtectedEmergency Workarounds
- Enable Defender Tamper Protection in Intune or Group Policy — prevents RedSun from disabling protection
- Block external file execution with AppLocker or WDAC (Windows Defender Application Control)
- Deploy Defender for Endpoint Plan 2 for enhanced behavioral detection
- Enable Credential Guard to limit SYSTEM-level damage from BlueHammer
The SudoFlare Takeaway
When your antivirus becomes the attack vector, defense-in-depth matters more than ever. Relying solely on Defender is insufficient — layer with network-level detection (NDR), SIEM alerting on Defender state changes, and regular integrity monitoring. Microsoft has released an emergency out-of-band patch: apply KB5038285 immediately.
