Defender Zero-Days BlueHammer & RedSun: SAMA Bank EDR Risk

Three actively exploited Microsoft Defender zero-days — disclosed by a researcher under the alias Chaotic Eclipse and weaponised since April 10, 2026 — have turned the very tool SAMA banks rely on for endpoint defence into a credible attack vector. Only one has a patch.

What the BlueHammer, RedSun and UnDefend chain actually does

BlueHammer (CVE-2026-33825, CVSS 7.8) is a time-of-check to time-of-use (TOCTOU) flaw in Defender's signature-update mechanism. A low-privileged process wins the race window between Defender verifying a signature file and consuming it, replacing the payload to execute code as NT AUTHORITY\SYSTEM. RedSun is a sibling local privilege escalation in the same update pipeline that remains unpatched. UnDefend abuses the same code path to trigger a denial-of-service that quietly blocks definition updates, leaving Defender running but blind to new threats. Huntress has observed all three exploited in the wild, and CISA added CVE-2026-33825 to the Known Exploited Vulnerabilities (KEV) catalogue on April 22, 2026.

Why this differs from a typical patch-Tuesday alert

Most endpoint CVEs ask defenders to patch a workload. Here, the target is the defender. UnDefend is the more dangerous of the unpatched pair for regulated environments because it produces no obvious crash — Defender continues to appear "healthy" in MECM, Intune and most SIEM dashboards while silently consuming stale signatures. That breaks the assumption behind every endpoint-detection control mapped in your ISMS. RedSun, chained after an initial commodity-malware foothold, turns a routine help-desk ticket into a full domain-admin path on workstations that still rely on Defender as the primary AV/EDR layer.

Impact on Saudi financial institutions

Microsoft Defender for Endpoint is the dominant EDR layer in mid-tier Saudi banks, finance companies and SAMA-regulated payment service providers — particularly those that consolidated on Microsoft 365 E5 over the last two years. SAMA CSCC sub-domain 3.3.14 ("Cyber Security Event Management") and 3.3.5 ("Malware Protection") both presume that endpoint protection signatures and telemetry are current and tamper-resistant; UnDefend invalidates that presumption without triggering a single alert. NCA ECC control 2-3-1 ("Endpoint Devices Security") imposes the same expectation on regulated entities outside the financial sector. For banks subject to PCI-DSS 4.0, requirement 5.3.4 — "anti-malware solutions and mechanisms cannot be disabled or altered by users" — is materially broken while these flaws remain unpatched, and that is a finding any QSA will write up.

Recommendations and practical next steps

1. Confirm CVE-2026-33825 is applied across every Windows endpoint and server in the cardholder, SWIFT and core-banking zones; treat anything still on the April 14, 2026 baseline or earlier as exposed.
2. Deploy Microsoft's Update-MpSignature -UpdateSource MMPC validation script via Intune or MECM, and alert on any host where the last successful signature update is older than 24 hours — this is your detective control for UnDefend.
3. Enable Defender's tamper-protection in tenant-wide enforced mode and add an Attack Surface Reduction (ASR) rule blocking process creation from C:\ProgramData\Microsoft\Windows Defender\Platform\*\MpSigStub.exe by non-system parents.
4. Forward Defender update telemetry (events 2000, 2001, 2002 and 5007) into your SOC and write a correlation rule flagging update failures concurrent with privilege-escalation behaviours — required evidence for SAMA CSCC 3.3.14.
5. If you operate a hybrid SOC or rely on a managed EDR service, request written confirmation from the provider that detection logic for BlueHammer, RedSun and UnDefend is live, and capture that confirmation in your third-party risk file.
6. Update your incident-response playbook so that "Defender appears healthy" is no longer accepted as endpoint clearance during ransomware triage — require a manual signature-freshness check.

Conclusion

Two of these three Defender flaws have no vendor fix as of this writing, and the one that does is already being weaponised. For SAMA-regulated institutions, the question is not whether Microsoft will eventually patch RedSun and UnDefend, but whether your detective controls would notice if an attacker silenced Defender across a branch network tomorrow morning. The compensating controls outlined above are not optional; they are the minimum standard a SAMA examiner will expect to see documented in your next assessment.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on endpoint detection and EDR tamper resistance.