Microsoft Defender RedSun & UnDefend: actively exploited CVEs now in CISA KEV

TL;DR

Affected Microsoft Defender / Microsoft Malware Protection Engine / Microsoft Defender Antimalware Platform

What happened CVE-2026-41091 and CVE-2026-45498 are flagged Exploited: Yes by Microsoft. Added to CISA KEV on 2026-05-20; the federal civilian deadline is 2026-06-03

Fixed in Malware Protection Engine 1.1.26040.8 or later, Defender Antimalware Platform 4.18.26040.7 or later

What to check Windows Security protection updates, or PowerShell Get-MpComputerStatus for AMEngineVersion and AMProductVersion

Also fixed CVE-2026-45584, a Defender RCE rated CVSS 8.1. No confirmed exploitation, but the same engine update closes it

Microsoft Defender’s RedSun and UnDefend now have CVE numbers and official confirmation of exploitation. Back in April, of the Defender-related PoCs including BlueHammer, only BlueHammer was closed as CVE-2026-33825 in the April Patch Tuesday. The two that remained have now become CVE-2026-41091 and CVE-2026-45498.

What changed is the shift from “researcher PoCs and Huntress telemetry” to “Microsoft advisories and CISA KEV.” Once a flaw is in CISA KEV (Known Exploited Vulnerabilities, a catalog of flaws confirmed used in real attacks), U.S. federal civilian agencies have until June 3, 2026 to act.

RedSun escalates to SYSTEM, UnDefend disables Defender

Both are Defender flaws, but they work differently.

CVE	Alias	Type	CVSS	Fix target
CVE-2026-41091	RedSun	Local privilege escalation	7.8	Malware Protection Engine 1.1.26040.8
CVE-2026-45498	UnDefend	Denial of service	4.0	Defender Antimalware Platform 4.18.26040.7
CVE-2026-45584	none	Remote code execution	8.1	Malware Protection Engine 1.1.26040.8

What each type lets an attacker do:

Type	What the attack does
LPE (local privilege escalation)	An attacker already on the machine raises a normal user to SYSTEM. Not an entry point by itself; it’s chained in after intrusion
DoS (denial of service)	Stops or hangs a target service or process. Here, used to disable or degrade Defender itself
RCE (remote code execution)	Runs attacker-supplied code on the machine. Can happen over the network without user interaction

CVE-2026-41091, per Microsoft, is a “link resolution before file access” flaw. From a locally authenticated state, the attacker escalates to SYSTEM through Defender’s own processing. NVD tracks it as CWE-59 (link following, i.e. mishandling reference resolution such as symbolic links or junctions).

Per Vectra AI and Huntress, RedSun targets TieringEngineService.exe. The attacker plants an EICAR test string (a harmless detection signature used to verify antivirus behavior) inside a file to trigger Defender’s real-time protection, wins the race at the moment Defender rewrites the file, and drops the attacker’s binary into a protected system path. Huntress reports that RedSun still works on Windows 10 / Windows 11 / Windows Server 2019 and later even after the April Patch Tuesday. In other words, even with “the latest OS,” it remains if the Defender engine is old.

CVE-2026-45498 is the DoS. Microsoft’s CVSS is 4.0, and on its own it isn’t a “take over the machine” flaw. But April’s observations showed UnDefend used after a SYSTEM escalation like BlueHammer or RedSun, jamming Defender’s definition updates to degrade detection accuracy over time. Rather than a noisy crash, UnDefend’s role is to quietly wear protection down without raising alerts. Its CVSS looks low, but as a way to dull Defender after intrusion, the impact is worse than a machine crash.

The same update also closes CVE-2026-45584. This is a heap-based buffer overflow in the Malware Protection Engine, an RCE rated CVSS 8.1. Microsoft and NVD list no confirmed exploitation, but given that Defender auto-scans the files it receives, it remains a separate attack path on machines where the engine update has stalled.

Auto-update is on, but check the version anyway

Microsoft states that Defender’s malware definitions, engine, and platform update automatically by default, so the fix usually applies with no extra action. That’s roughly true for home PCs and ordinary corporate machines.

The thing to watch is that Defender updates split into three layers. Each ships at a different cadence over a different path, so “Windows Update is applied” and “the engine is current” are not the same thing.

Layer	What’s in it	Update cadence
Security intelligence (definitions)	Malware signatures	Several times a day
Malware Protection Engine (engine)	The scan execution code itself (where RedSun and the RCE are fixed)	About once a month
Antimalware Platform (platform)	Defender’s service foundation (where UnDefend is fixed)	About once a month

This fix lands in the bottom two layers, the engine and the platform. Even if definitions update frequently, the three flaws stay open while the engine and platform are old.

On managed Windows this is where things drift. With VDI golden images, long-offline machines, air-gapped networks, proxied updates, or machines mid-EDR-migration, Windows Update proper and the Defender engine update don’t always land at the same time.

A VDI golden image ships whatever engine and platform it was sealed with to a large fleet of derived machines. Until you rebuild the image, they multiply while staying old
Air-gapped and offline machines stop getting both definitions and engine without an outbound update path. Check the WSUS and Microsoft Defender for Endpoint fallback order
Behind a proxy, the light definition updates can get through while the heavier, separately-delivered engine update is the one being dropped
A machine mid-EDR-migration with another product active can drop Defender into passive mode, where its updates stall

The value to check is not the OS build but Defender’s engine and platform. In PowerShell:

Get-MpComputerStatus |
  Select-Object AMEngineVersion, AMProductVersion, AntispywareSignatureVersion, AntivirusSignatureLastUpdated

If AMEngineVersion is 1.1.26040.8 or higher, you have the engine update for CVE-2026-41091 and CVE-2026-45584. If AMProductVersion is 4.18.26040.7 or higher, you have the platform update for CVE-2026-45498.

If they’re old, Update-MpSignature triggers an update manually. If that still doesn’t move them, run MpCmdRun.exe -SignatureUpdate directly, or suspect the proxy / WSUS / delivery path settings. A VDI golden image reverts on the next deployment even if you trigger it on the endpoint, so update the image itself.

From the Windows Security app, open Virus & threat protection → Protection updates, then after checking for updates confirm the Antimalware Client Version under Settings → About.

Machines with Defender disabled are a separate case

Per Microsoft, as cited by The Hacker News, systems with Microsoft Defender disabled are not affected by these flaws. If Defender’s relevant component isn’t running, the RedSun and UnDefend attack paths don’t hold either.

But treating that as a mitigation is wrong. A machine with Defender turned off becomes something to verify: does it have equivalent protection from another EDR or anti-malware product, and is it in the intended mode under Microsoft Defender for Endpoint’s state management? “Not a vulnerable Defender” and “the endpoint is protected” are two different checks.

Local privilege escalation like this in particular gets stepped on after initial access. FortiGate VPN, the browser, Office attachments, dev tools, npm or VS Code extensions — the entry point is elsewhere, and Defender is used at the privilege-escalation and defense-weakening stage. This differs in attack surface from the Netlogon and DNS Client RCEs covered in the May Patch Tuesday, and the unit of update verification is the Defender update, not the OS update.

Timeline: from PoC release to KEV listing

RedSun and UnDefend didn’t appear as CVEs out of nowhere. In April, a researcher released PoCs (proof-of-concept code that demonstrates the attack works) first, they were used in real intrusions, and CVE assignment and KEV listing caught up afterward. Stitching together Vectra AI, Huntress, and Help Net Security, the rough sequence is:

flowchart TD
    A["Apr 3: BlueHammer PoC released<br/>a protest at MSRC silence"] --> B["Apr 10: BlueHammer seen exploited in the wild"]
    B --> C["Apr 14: BlueHammer fixed as CVE-2026-33825"]
    C --> D["Apr 16: RedSun and UnDefend PoCs released<br/>exploited in the wild the same day"]
    D --> E["RedSun and UnDefend stay unpatched"]
    E --> F["May 20: both CVEs added to CISA KEV<br/>federal deadline Jun 3"]
    F --> G["May 21: fixed as RedSun=CVE-2026-41091<br/>UnDefend=CVE-2026-45498"]

The PoCs came from an anonymous researcher going by Chaotic Eclipse (also known as Nightmare Eclipse) on GitHub. Per Help Net Security, they dropped the PoCs without a patch as a protest that reports to the Microsoft Security Response Center weren’t progressing. BlueHammer was closed as CVE-2026-33825 on April 14 in this flow, but RedSun and UnDefend didn’t get a patch in time and were exploited the same day they were published, April 16.

CISA then added both to KEV on May 20, and the next day Microsoft fixed RedSun as CVE-2026-41091 and UnDefend as CVE-2026-45498. What was “PoC exists, but no number and no patch” at publication finally became official with the KEV listing and CVE assignment.

How the picture changed from April to May

April’s BlueHammer post centered on Defender-triggered abuse of the Cloud Files API and VSS. From there into May came a string of Chaotic Eclipse Windows zero-days — YellowKey, GreenPlasma, MiniPlasma. The RedSun and UnDefend CVE assignments are the Defender part of that flow being folded back into official advisories.

After the PoCs, CVEs land, the flaws enter CISA KEV, and the fix ships over Defender’s auto-update path. In this flow, what’s left for admins isn’t “did Microsoft ship it” but “did it reach my fleet.”