BlueHammer, RedSun, UnDefend: Three Windows Defender Zero-Days That Turned Your Shield Into a Weapon

In April 2026, a single security researcher dismantled the assumption that Windows Defender is a reliable last line of defense. Over 13 days, three distinct zero-day exploits — BlueHammer, RedSun, and UnDefend — were publicly disclosed with working proof-of-concept code, each targeting a different weakness in Defender's core architecture. Microsoft patched one. The other two remain exploitable on production systems running across Saudi financial infrastructure.

CVE-2026-33825: How BlueHammer Turns Defender Against Itself

BlueHammer (CVE-2026-33825, CVSS 7.8) exploits a time-of-check to time-of-use (TOCTOU) race condition buried in Windows Defender's threat remediation engine. The attack sequence is surgical: an attacker drops a file that triggers a Defender detection, then uses a batch opportunistic lock (oplock) to freeze Defender's file operation at the exact moment it begins remediation. During the pause, the attacker creates an NTFS junction point that redirects Defender's target path from a temporary directory to C:\Windows\System32. When Defender resumes its rollback, it follows the redirected path and writes with SYSTEM-level privileges — overwriting a system binary and granting the attacker full control.

No elevated privileges required. No user interaction needed. The attacker only needs local access — exactly the foothold that phishing, RDP compromise, or insider threats routinely provide in financial environments. Huntress Labs confirmed active exploitation in the wild since at least April 10, 2026, three days after public disclosure and four days before Microsoft's patch.

RedSun and UnDefend: The Two Zero-Days Still Waiting for Patches

RedSun followed BlueHammer within days. It abuses Defender's handling of cloud-tagged files — specifically the metadata Defender attaches after cloud-based analysis. By manipulating how Defender processes these cloud verdicts during remediation, RedSun achieves a similar privilege escalation outcome through a completely different code path. The attacker overwrites system paths by exploiting the trust Defender places in its own cloud analysis pipeline.

UnDefend takes a different approach entirely. Instead of escalating privileges, it systematically degrades Defender's protection by disrupting its signature update mechanism. The exploit corrupts the update channel in a way that causes Defender to silently fail future updates while reporting a healthy status. Over days or weeks, the endpoint's detection capability erodes without triggering any alerts — the security dashboard still shows green while the actual protection steadily weakens.

As of May 12, 2026, Microsoft has patched BlueHammer (Antimalware Platform version 4.18.26020.7+), but RedSun and UnDefend remain unpatched. CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog with a mandatory remediation deadline, but the other two exploits have no CVE assignments yet — making them invisible to automated vulnerability management workflows.

Why This Matters for Saudi Financial Institutions Under SAMA

Most SAMA-regulated banks, insurance companies, and fintech firms run Windows Defender as either their primary endpoint protection or as a foundational layer alongside EDR solutions. SAMA's Cyber Security Common Controls (CSCC) mandate endpoint protection under Domain 3 (Technology) with specific requirements for malware defense, real-time monitoring, and security update management. The BlueHammer trio strikes at the intersection of all three requirements.

Consider a realistic attack chain against a Saudi bank: an attacker gains initial access through a spear-phishing email targeting a branch employee. With low-privilege access on a single workstation, they deploy BlueHammer to escalate to SYSTEM. From there, they run UnDefend to silently degrade Defender across laterally-accessible endpoints. Within a week, the attacker has SYSTEM access on multiple machines with progressively weaker endpoint detection — all while the bank's SOC dashboard reports no anomalies. This scenario does not require sophisticated tooling. The proof-of-concept code is public.

NCA's Essential Cybersecurity Controls (ECC) compound the urgency. ECC-2:3 requires organizations to maintain updated endpoint protection with verified operational status — a control that UnDefend specifically defeats. PDPL Article 29 holds data controllers accountable for implementing technical measures proportionate to the risk of processing personal data. An endpoint protection layer with known, unpatched bypass techniques fails that proportionality test.

Practical Recommendations for CISOs and Security Teams

1. Verify BlueHammer patch deployment immediately. Confirm that all endpoints run Microsoft Defender Antimalware Platform version 4.18.26020.7 or later. Do not rely on WSUS reporting alone — run a direct version query across your fleet using Get-MpComputerStatus | Select-Object AMProductVersion via your endpoint management tool.
2. Implement Defender health attestation monitoring. UnDefend's core danger is that Defender reports healthy while degraded. Deploy an independent check — outside Defender's own telemetry — that verifies signature freshness against Microsoft's published definition timestamps. Alert if any endpoint falls more than 24 hours behind.
3. Restrict NTFS junction point creation on critical systems. BlueHammer and RedSun both rely on junction point manipulation. Use AppLocker or Windows Defender Application Control (WDAC) policies to restrict mklink and junction creation for non-administrative users on servers and high-value workstations.
4. Layer your endpoint detection. If Defender is your sole endpoint protection, this vulnerability chain is a wake-up call. Deploy a secondary EDR agent capable of detecting privilege escalation behaviors — particularly SYSTEM token impersonation and suspicious System32 file writes — independent of Defender's detection pipeline.
5. Accelerate SAMA CSCC Domain 3 reassessment. Document the BlueHammer risk in your risk register with compensating controls for RedSun and UnDefend. SAMA examiners will expect awareness of actively exploited vulnerabilities affecting mandated security controls during your next assessment cycle.
6. Hunt retroactively. BlueHammer was exploited in the wild from April 10, 2026. Query your SIEM for indicators: unusual MsMpEng.exe file operations, oplock activity on quarantine paths, junction point creation in %TEMP% directories targeting System32, and any Defender service restarts that coincide with privilege escalation events.

Conclusion

The BlueHammer trilogy represents a category shift in endpoint security risk. When the security tool designed to protect your endpoints becomes the mechanism for compromise, traditional defense-in-depth assumptions collapse. The fact that two of three exploits remain unpatched over a month after disclosure — with public proof-of-concept code available — demands immediate compensating action from every institution relying on Windows Defender.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment — including endpoint security validation against BlueHammer, RedSun, and UnDefend attack techniques.