No less than three new security flaws are actively being exploited in Microsoft Defender… and only one of them has been patched. Making matters worse, two of these vulnerabilities, BlueHammer and RedSun, can even grant full SYSTEM-level access to users across a variety of Windows operating systems.
A security researcher known as Chaotic Eclipse, also known as Nightmare-Eclipse on GitHub, has published zero-day exploits for all three of the vulnerabilities in question.
BlueHammer
The only one of the three exploits to have received an official patch at the time of this writing, BlueHammer is also the only one that requires logging in to GitHub. Once that stipulation is met, however, the full BlueHammer exploit can be sprung.
BlueHammer works by downloading a genuine Microsoft Defender Antivirus definition update and equipping it with an opportunistic lock (oplock) to gain privileged access to files. Once the oplock is triggered, the exploit creates a symbolic link that redirects Defender’s read operation, causing it to leak information about local accounts. When a local administrator account is found, BlueHammer overwrites the password and automatically logs in to the account.
From there, it tries to gain unrestricted SYSTEM-level access by creating and starting a new Windows service. The entire attack has been successfully demonstrated in a comprehensive proof of concept.
RedSun
Although there are some similarities between BlueHammer and RedSun, there are enough differences that the RedSun exploit was completely unaffected by the BlueHammer patch.
RedSun works by writing an EICAR test file via the Windows Cloud Files API. The process then utilizes an oplock to halt Microsoft Defender’s file recovery process and redirect the write path to the System32 directory. From there, a critical system file is overwritten with a new one, which is immediately executed, granting the attacker SYSTEM-level access.
This specific exploit has been tested and confirmed on the latest versions of Windows 10 and Windows 11. It is also usable on several versions of Windows Server, including 2019, 2022, and 2025.
UnDefend
Another exploit from Nightmare-Eclipse, known as UnDefend, is markedly different from the first two. Instead of relying on local privilege escalation (LPE) flaws, UnDefend is designed to launch denial-of-service (DoS) attacks to prevent Microsoft Defender from receiving official definition updates.
UnDefend can be used passively or aggressively. In passive mode, the exploit works by preventing Defender from detecting any new threats included in official definition updates. Aggressive mode, on the other hand, attempts to disable Microsoft Defender entirely. However, it only works when Microsoft issues a major platform update.
Moving in the right direction
The team at Microsoft worked quickly to patch the BlueHammer exploit, but both RedSun and UnDefend remain unpatched for now. While they will almost certainly release patches for the other two in due time, concerned IT teams should continue to monitor all Defender activities and operations until a permanent fix has been issued.
Also read: Microsoft’s April Patch Tuesday update fixed 165 vulnerabilities, including two zero-days, in one of the company’s largest monthly security releases.