Microsoft Defender zero-days exploited in wild
Key Questions
What are RedSun and UnDefend in Microsoft Defender?
RedSun enables SYSTEM escalation while UnDefend allows silent disabling of antivirus protections. Both zero-days were actively exploited before out-of-band patches were released on May 21, 2026. CISA added the flaws to its Known Exploited Vulnerabilities catalog.
How were the Microsoft Defender zero-days being exploited?
Attackers used FortiGate VPNs as an entry point for intrusions leveraging the flaws. Live attacks were confirmed prior to the emergency patches. The six-week patch gap raised concerns for enterprise users relying on Defender.
What is the recommended action for organizations using Microsoft Defender?
Enterprises should immediately apply the out-of-band patches for RedSun and UnDefend. Monitoring for signs of compromise via VPN access is advised. CISA guidance emphasizes rapid remediation to prevent further exploitation.
RedSun (SYSTEM escalation) and UnDefend (silent AV disable) zero-days patched out-of-band. Active intrusions via FortiGate VPN. CISA added to KEV. Six-week patch gap concerning for enterprise Defender users.