Microsoft Defender Flaws Exploited on Windows, Two Left Unpatched

Microsoft Defender is a cornerstone of Windows security, yet recent disclosures reveal that its own components can be weaponized. The researcher known as Chaotic Eclipse published three exploits—BlueHammer, RedSun and UnDefend—demonstrating how malicious actors can subvert Defender’s update mechanisms and file‑handling APIs. While Microsoft quickly issued a patch for BlueHammer, the other two vulnerabilities remain open, highlighting the challenges of defending against zero‑day flaws in widely deployed security software.

RedSun exploits an opportunistic lock (oplock) to hijack Defender’s file recovery process, redirecting writes to the System32 directory and overwriting critical binaries. This technique works on the latest Windows 10 and 11 builds as well as Windows Server 2019, 2022, and the upcoming 2025 release, granting attackers full SYSTEM privileges. UnDefend takes a different approach, targeting the update pipeline itself. By blocking definition updates or disabling Defender during major platform upgrades, it creates a denial‑of‑service condition that leaves endpoints blind to new threats. Both exploits are publicly available, providing a ready‑made playbook for threat actors before Microsoft can develop fixes.

For enterprises, the immediate priority is heightened monitoring of Defender logs and aggressive patch management. Organizations should deploy supplemental endpoint detection and response (EDR) tools that can detect anomalous service creation or unexpected file system activity. In parallel, Microsoft’s rapid response to BlueHammer shows that coordinated disclosure can limit exposure, but the lingering gaps underscore the need for layered defenses. Staying ahead of these threats will require continuous vulnerability scanning, timely application of security updates, and a robust incident‑response plan to contain any potential compromise.