Microsoft issued out-of-band updates for two Microsoft Defender zero-days, RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498), after both flaws were exploited in the wild. RedSun is a local privilege escalation vulnerability that can grant attackers SYSTEM privileges by abusing Defender’s handling of malicious files with cloud tags and related Cloud Files behavior, while UnDefend is a denial-of-service flaw that can disrupt Defender signature updates. The bugs affected older versions of the Microsoft Malware Protection Engine and Microsoft Defender Antimalware Platform, and Microsoft said patched engine and platform releases are generally delivered automatically.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
CISA added CVE-2026-41091 and CVE-2026-45498 to its Known Exploited Vulnerabilities catalog and directed U.S. federal agencies to remediate them by June 3, 2026.
Microsoft issued out-of-band updates for two actively exploited Microsoft Defender zero-days: CVE-2026-41091 (RedSun) and CVE-2026-45498 (UnDefend). The fixes were delivered in newer Malware Protection Engine and Defender Antimalware Platform releases.
After public disclosure of the RedSun and UnDefend flaws, Microsoft said it was investigating the reported issues and working to release updates as quickly as possible.
Security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, publicly disclosed and released proof-of-concept exploits for the RedSun and UnDefend Microsoft Defender vulnerabilities, saying the release was a protest against Microsoft's handling of his reports.
Huntress reported that the RedSun and UnDefend Microsoft Defender zero-days had already been exploited in real-world attacks. The report states exploitation of both vulnerabilities was observed from April 16, 2026.
A public GitHub repository for the RedSun Microsoft Defender exploit was created and released by Nightmare-Eclipse, including source code and technical details describing privilege escalation via Defender behavior.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
xakep.ru
Open sourcexakep.ru
Open sourcedatabreaches.net
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.