Skip to content
Tech News
← Back to articles

Exploits Turn Windows Defender into Attacker Tool

2026-04-21 | original
read original get Windows Defender Security Book → more articles
Why This Matters

Recent exploits targeting Microsoft Defender highlight critical vulnerabilities that can turn a vital security tool into an attack vector, potentially compromising entire systems. These threats underscore the importance of timely patching and continuous security assessment for both organizations and consumers. As attackers exploit publicly available proof-of-concept vulnerabilities, staying ahead with updates is essential to maintain effective protection.

Key Takeaways

Threat actors are using three publicly available proof-of-concept exploits to attack Microsoft Defender and turn the security platform's primary cleanup and protection functions against organizations it is designed to protect.

Two of the exploits enable SYSTEM-level access on vulnerable systems. The third quietly disrupts Defender's update mechanism to progressively degrade its ability to detect new threats.

A Trio of Exploits

A researcher using the moniker Nightmare-Eclipse publicly released the PoCs after allegedly trying to report them to Microsoft first and not getting a proper response.

One of the exploits, dubbed BlueHammer, was used as a zero-day against CVE-2026-33825, a time-of-check to time-of-use (TOCTOU) vulnerability in Windows Defender's signature update workflow. As security vendor Vectra.ai described the exploit, "Defender detects a suspicious file, decides to rewrite it, and an attacker wins a race condition that redirects that rewrite to a location of their choosing." Attackers can gain SYSTEM-level access without a kernel exploit or memory corruption and just via abuse of how Defender interacts with the file system during remediation, the security vendor said.

Related:Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk

Microsoft issued a patch for the flaw in its security update for April. That patch mitigates the threat from BlueHammer but does not protect against the two other PoC exploits that Nightmare-Eclipse has publicly released: RedSun and UnDefend.

In a statement, a Microsoft spokeswoman identified RedSun and UnDefend as separate issues from BlueHammer. "Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible," the statement said. "We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."

Turning Defender Against its Users

RedSun works similar to BlueHammer but targets TieringEngineService.exe, a Defender background process for classifying and prioritizing detected files and threats. All an attacker has to do to trigger the vulnerability, according to Vectra.ai, is to use an embedded EICAR test string, which many security teams use to safely verify if an antivirus tool is properly detecting threats. When Defender detects the test string, it "initiates a remediation cycle, and RedSun wins the race to redirect the resulting file rewrite. At that point, the Cloud Files Infrastructure executes the attacker-planted binary as SYSTEM," Vectra said.

... continue reading

Explore topics: windows defender bluehammer cve-2026-33825 system-level access microsoft
Related:
Xbox Game Pass Now Costs Less, but That Doesn’t Mean It’s a Good Deal
The AI governance mirage: Why 72% of enterprises don’t have the control and security they think they do
ChatGPT’s new Images 2.0 model is surprisingly good at generating text
Xbox Drops Game Pass Ultimate Price, Brings Bad News for Call of Duty Fans
Microsoft removes Call of Duty from Game Pass, lowers subscription pricing

© 2026 GoKawiil

About | Editorial Policy | Contact