Windows Defender Exploits 2026: What IT Teams Need to Know About BlueHammer, RedSun, and UnDefend

Three publicly available exploits are actively being used to weaponize Windows Defender against the organizations it is supposed to protect. Two of them — RedSun and UnDefend — have no patch from Microsoft yet. Every IT director running Windows 10, Windows 11, or Windows Server 2019 or later needs to understand how these attacks work and what controls stop them.

By Adam Adil Harchaoui | Published by NVITS | Updated April 2026

In April 2026, security researchers confirmed that attackers are combining three proof-of-concept exploits — BlueHammer, RedSun, and UnDefend — to escalate privileges to SYSTEM level and silently degrade endpoint protection on fully patched Windows machines. The exploits do not require a kernel exploit or memory corruption technique. They abuse legitimate, privileged workflows inside Windows Defender itself.

For IT teams managing Windows endpoints in Reno-area organizations, this is not a theoretical threat. Huntress Labs has documented hands-on intrusion activity where attackers manually ran privilege enumeration commands before deploying these tools. The initial foothold in every confirmed case came from a compromised VPN account without multifactor authentication.

This post breaks down each exploit, explains what the attack chain looks like in practice, and gives you the specific controls that stop it.

How Attackers Are Turning Windows Defender Into a Delivery Mechanism

Windows Defender sits inside the trust boundary it is trying to enforce. When it detects a suspicious file, it initiates a privileged remediation workflow and that workflow is exactly what these exploits target.

Security researchers at Vectra.ai described the core problem clearly: Defender performs privileged file operations without validating its own I/O paths at the moment of execution. Each of the three exploits abuses a different version of that same gap.

The result is that an attacker who already has a foothold even a low-privilege one can convert it to SYSTEM access reliably, then quietly degrade the endpoint’s ability to detect anything new.

BlueHammer: The Patched Race Condition (CVE-2026-33825)

BlueHammer exploits a time-of-check to time-of-use (TOCTOU) vulnerability in Defender’s signature update workflow, tracked as CVE-2026-33825. Microsoft patched this flaw in its April 2026 security update.

The mechanics: Defender detects a suspicious file and decides to rewrite it. An attacker wins a race condition that redirects that rewrite to a location of their choosing  gaining SYSTEM-level access without a kernel exploit. The exploit abuses a VSS snapshot mount during the signature update process.

What to do: Apply the April 2026 Windows updates and verify that Antimalware Platform version 4.18.26050.3011 or later is present on every endpoint. This closes BlueHammer.

One important caveat: patching BlueHammer does not protect against RedSun or UnDefend. Those are independent flaws with no CVEs assigned yet.

RedSun: The Unpatched Exploit That Works on Fully Patched Windows

RedSun targets TieringEngineService.exe, a Defender background process responsible for classifying and prioritizing detected threats. As of April 2026, there is no patch.

The attack uses an EICAR test string  the same string security teams routinely use to verify antivirus detection. When Defender detects the EICAR string, it initiates a remediation cycle. RedSun wins the race to redirect the resulting file rewrite. The Cloud Files Infrastructure then executes the attacker-planted binary as SYSTEM.

RedSun works against fully patched Windows 10, Windows 11, Windows Server 2019, and later  including systems that received the April 2026 Patch Tuesday updates.

Justin Howe, senior solutions architect at Vectra, describes RedSun as exploiting an unvalidated write during cloud-file remediation: a separate, independent flaw from BlueHammer with no CVE assigned yet.

What to do: Block execution from user-writable directories  Downloads, Pictures, and Temp, using application control policies. Baseline the hash of TieringEngineService.exe so any unauthorized modification triggers an alert immediately.

UnDefend: The Stealthy Defense Degradation Tool

UnDefend is deployed after an attacker gains SYSTEM access via BlueHammer or RedSun. It does not escalate privileges. Its purpose is persistence and evasion.

An attacker spawns UnDefend as a child of cmd.exe under Explorer and runs it with the -aggressive flag. The tool then starves Defender of current threat intelligence  progressively degrading its ability to detect new threats  while simultaneously reporting the endpoint as healthy to the management console.

That last point matters. UnDefend can falsify the Defender dashboard. An IT team watching the console sees green while the endpoint’s protection is quietly degrading.

Vectra describes UnDefend as exploiting weaknesses in Defender’s update and health reporting mechanisms. Like RedSun, it has no CVE and no patch.

What to do: Do not rely solely on the Defender dashboard to confirm protection status. Verify the Antimalware Platform version directly on each endpoint rather than reading the reported status. Howe’s recommendation: “Add a detection layer that does not share a trust boundary with the endpoint agent being targeted.”

This is exactly what a managed SOC provides  independent telemetry that cannot be falsified by a tool running on the same endpoint.

The Attack Chain in Practice

Huntress Labs observed attackers using all three exploits together in deliberate, hands-on intrusions. The pattern:

  1. Initial access via a compromised VPN account without MFA
  2. Manual privilege enumeration commands to understand the environment
  3. BlueHammer or RedSun deployed to achieve SYSTEM access
  4. Binaries staged in low-noise directories: Pictures folders, two-letter subfolders inside Downloads
  5. Filenames renamed to reduce VirusTotal detection rates
  6. UnDefend deployed to degrade Defender while maintaining a clean dashboard appearance

Hüseyin Can Yüceel, security research lead at Picus Security, described the tradecraft as low complexity but effective: “Moderately skilled adversaries are leveraging public exploit code in post-compromise scenarios to escalate privileges or weaken endpoint defenses.”

The hard part for attackers is initial access, not exploitation. As Howe put it: “Every in-the-wild case Huntress has reported started with a compromised SSL VPN account without multifactor authentication. Once an attacker has any foothold, converting it to SYSTEM with RedSun is trivial.”

What the Broader Attack Surface Reveals

These three exploits point to a systemic issue in how Windows Defender handles privileged file operations. Justin Howe summarized it: “The bigger picture is that Defender is inside the trust boundary it is trying to enforce. When attackers manipulate its own privileged workflows, it becomes a delivery mechanism.”

BlueHammer abuses a race condition in file remediation. RedSun exploits unvalidated writes during cloud-file rollback. UnDefend tampers with the signature update pipeline while lying about the endpoint’s health. Together, they reveal that endpoint detection tools cannot serve as their own audit layer.

According to the Verizon 2025 Data Breach Investigations Report, 44% of breaches involve ransomware. Exploits like these — used in post-compromise scenarios to escalate privileges and degrade defenses  are exactly the kind of activity that precedes ransomware deployment. CISA has consistently advised that defense-in-depth, not reliance on a single endpoint tool, is the standard for organizations serious about resilience.

In our experience with Reno-area organizations, the pattern we see most often is over-reliance on a single endpoint security tool as the primary (and sometimes only) layer of defense. When that tool is the one being attacked, there is nothing left to catch it.

The Specific Controls That Stop This Attack Chain

Apply these controls in priority order:

1. Enforce MFA on every VPN and remote access path. This stops the attack before it starts. Every confirmed in-the-wild case began with a compromised account that lacked MFA.

2. Apply the April 2026 Windows updates. This patches BlueHammer (CVE-2026-33825) and confirms Antimalware Platform version 4.18.26050.3011 or later.

3. Verify platform version directly, do not trust the dashboard. UnDefend falsifies Defender’s health reporting. Check the actual platform version on each endpoint.

4. Block execution from user-writable directories. Downloads, Pictures, and Temp are staging grounds in every documented attack. Application control policies (Windows Defender Application Control or AppLocker) block execution from these paths.

5. Baseline TieringEngineService.exe. Hash the binary and alert on any modification. RedSun targets this process specifically.

6. Add an independent detection layer. A managed SOC with its own telemetry pipeline  one that does not share a trust boundary with the endpoint agent  catches what UnDefend hides from the Defender console. NVITS’s Managed SOC provides exactly this: independent monitoring that does not rely on the endpoint agent reporting accurately.

7. Review VPN account hygiene. Audit accounts with remote access rights. Disable accounts that do not need it. Confirm MFA enrollment is complete, not just configured.

Why a Single Endpoint Tool Is Not Enough

These exploits demonstrate what security frameworks have prescribed for years. NIST CSF 2.0 calls for layered controls precisely because any single tool can be compromised. Relying on Windows Defender alone  even with all patches applied  leaves a gap that RedSun and UnDefend currently exploit with no remediation available from Microsoft.

For IT directors in compliance-sensitive environments  healthcare, financial services, defense contractors  this gap has direct regulatory implications. HIPAA’s Security Rule requires reasonable safeguards across the full IT environment. PCI-DSS 4.0 (mandatory since March 31, 2025) requires MFA for all cardholder data environment access. CMMC 2.0 Level 2 requires 110 controls from NIST SP 800-171, many of which speak directly to defense-in-depth and endpoint integrity.

A single endpoint protection tool, regardless of vendor, does not satisfy these requirements on its own.

NVITS is locally owned and operated in Reno — decisions are made here, not by a distant investment fund. Unlike managed service providers acquired by private equity, we answer to our clients, not to a holding company’s margin targets. That means we tell you what your environment actually needs, including when the answer involves layering capabilities beyond what Windows includes by default.

Our Managed Endpoint Detection and Response service provides the independent detection layer that closes the gap these exploits expose. Our vCISO service helps IT directors build a defense-in-depth architecture that holds up under audit and under attack.

What to Do This Week

Immediate actions, in order:

  1. Confirm April 2026 Windows updates are applied across all endpoints
  2. Verify Antimalware Platform version 4.18.26050.3011 or later — check directly, not from the dashboard
  3. Review application control policies for user-writable directory execution blocks
  4. Audit VPN accounts  confirm MFA is enforced, not just enabled
  5. Identify any endpoints where Defender is the only detection layer

If you cannot answer all five of those with confidence, your environment has exposure. The time to find that out is before an attacker does.

Book Your  Cybersecurity Assessment

NVITS offers a complimentary 20-point assessment covering the full scope of your security posture — not just endpoint protection.

Book your free assessment →

Frequently Asked Questions

What are BlueHammer, RedSun, and UnDefend?
They are three proof-of-concept exploits publicly released in April 2026 that target Microsoft Windows Defender. BlueHammer (CVE-2026-33825) exploits a race condition in Defender’s signature update workflow to gain SYSTEM-level access. RedSun exploits an unvalidated write during cloud-file remediation to achieve the same result. UnDefend is deployed after SYSTEM access is obtained and silently degrades Defender’s threat intelligence while reporting the endpoint as healthy. Microsoft patched BlueHammer in the April 2026 update; RedSun and UnDefend remain unpatched as of this writing.

Does the April 2026 Windows update fix all three exploits?
No. The April 2026 update patches BlueHammer by addressing CVE-2026-33825. RedSun and UnDefend are independent flaws with no CVEs assigned and no patches available from Microsoft yet. Organizations must apply the April update and implement additional controls , specifically MFA enforcement, application control policies blocking execution from user-writable directories, and independent endpoint monitoring to address the full attack surface.

Do I need to be running an outdated version of Windows to be vulnerable?
No. RedSun works against fully patched Windows 10, Windows 11, Windows Server 2019, and later — including systems with all April 2026 Patch Tuesday updates applied. UnDefend works on any system where SYSTEM access has been obtained. Being current on patches is necessary but not sufficient.

What is the initial access vector in documented attacks?
Every confirmed in-the-wild case documented by Huntress Labs involved a compromised SSL VPN account without multifactor authentication. The exploits require local access — they are post-compromise tools, not remote code execution vulnerabilities. This means MFA on VPN and remote access paths is the single most effective control against the attack chain.

How does NVITS protect against these exploits?
NVITS’s Managed SOC provides telemetry that is independent of the Defender agent — meaning UnDefend’s dashboard falsification does not affect our visibility. Our Managed Endpoint Detection and Response service layers detection capabilities beyond what Windows Defender provides natively. We also enforce application control policies and MFA as part of our standard managed services engagement. Pricing starts at $65–175/user/month depending on scope.

How is NVITS different from other managed security providers in Reno?
NVITS is locally owned and operated — not acquired by private equity. Decisions are made in Reno, not in a distant holding company’s office. We received the NCET IT Support and Cybersecurity Company of the Year award in 2022, and we provide direct account management, not rotated contacts at a national call center. Our team has direct experience with the compliance requirements facing Reno-area healthcare organizations, financial services firms, startups, nonprofits.

What frameworks require defense-in-depth beyond endpoint protection?
NIST CSF 2.0, HIPAA’s Security Rule, PCI-DSS 4.0 (mandatory March 31, 2025), CMMC 2.0 Level 2, and the FTC Safeguards Rule (updated 2023) all require layered controls across the IT environment. None of them treat a single endpoint protection tool as a sufficient security posture. If your organization is subject to any of these frameworks, relying solely on Windows Defender creates compliance exposure in addition to security risk.

How quickly can NVITS assess our current exposure?
We can typically schedule a free 20-point assessment within one week. The assessment covers endpoint protection, patch compliance, MFA coverage, VPN configuration, network segmentation, backup integrity, and your compliance posture across relevant frameworks. There is no obligation. Contact us here.

Related Reading

About the author: Adam Adil Harchaoui, a University of Nevada, Reno alumnus and veteran of Microsoft and IGT, founded NVITS with a clear vision: to bring enterprise IT to the local Reno business landscape. As a seasoned Cybersecurity professional, Adam recognized a growing gap between enterprise-level protection and the practical needs of regional organizations. Under his leadership, NVITS has evolved into a premier partner for Managed IT, Cybersecurity, and AI-driven solutions, ensuring that local businesses are not just staying connected  they are staying secure and ahead of the technological curve. Connect on LinkedIn →