Today's picture
The Defender situation is no longer a single unpatched zero-day. Attackers are now chaining two unpatched exploits in sequence, using one to blind Defender's update pipeline and the other to escalate to SYSTEM, with near-perfect reliability on Windows 10, 11, and Server 2019 and later. Separately, NIST quietly changed the rules on CVE scoring four days ago and most organizations have not noticed yet. The change has real implications for how patch prioritization works for anyone relying on the National Vulnerability Database as a primary signal.
Threat snapshot
2 new · 1 developing · 3 monitoring
Developing
Unpatched
Defender triple zero-day escalates. Attackers chaining RedSun and UnDefend in live attacks.
BlueHammer patched. RedSun and UnDefend actively exploited and still unpatched. Two-step chain blinds Defender then escalates to SYSTEM. Near-100% reliability confirmed.
New
Process Change
NIST stopped scoring most CVEs four days ago. Most organizations have not noticed.
CVE submissions up 263% since 2020. NIST now enriches only KEV, federal, and EO 14028 critical software CVEs. Everything else gets no automatic CVSS score.
New
Ops Alert
April patches causing Windows domain controllers to enter restart loops
Second patch-induced operational failure this week. Domain controllers restart-looping after April 2026 security updates. Microsoft investigating.
Detailed intelligence
Full analysis
01 Developing 2 of 3 Unpatched
Defender triple zero-day escalates. Attackers chaining RedSun and UnDefend in live attacks.
BlueHammer / RedSun / UnDefend
What changed since Issue 6
When we covered this in Issue 6, Huntress had confirmed exploitation of all three exploits. Since then, the picture has sharpened in a way that changes the operational calculus. Huntress researchers have documented a specific two-step attack chain being used in live incidents: UnDefend is deployed first to block Defender from receiving signature updates while reporting the endpoint as healthy to management consoles, then RedSun is used to escalate to SYSTEM. This sequence is deliberate. UnDefend neutralizes the security tool without alerting the SOC, creating a window where the endpoint appears protected but is not. RedSun then abuses Defender's cloud file rollback mechanism, redirecting a file restoration operation to C:\Windows\System32 via NTFS junction manipulation, achieving SYSTEM-level code execution. Researchers report near-100% reliability on Windows 10, Windows 11, and Windows Server 2019 and later. BlueHammer was patched in Tuesday's Patch Tuesday. RedSun and UnDefend have no CVE identifiers and no patches as of today. The public PoC code for both remains accessible on GitHub despite a platform warning.
CyberSip™ Take
The UnDefend component is what makes this chain particularly dangerous for detection. An endpoint that has been hit by UnDefend looks healthy from the management console. Defender is running, the agent is reporting, but signature updates are silently blocked. The SOC sees green. The attacker has a clean runway. Organizations that monitor Defender signature update frequency as a health indicator will catch this. Organizations that only check whether the Defender service is running will not. The immediate mitigation priority is verifying that Defender signatures are actually current across the environment, not just that the service is active. The specific version to check against is the last successful signature update timestamp. A gap of more than a few hours on a connected endpoint warrants investigation. RedSun and UnDefend have no patches and no timeline. This item stays Developing until Microsoft ships fixes for both.
Recommended actions
- Confirm Defender Antimalware Platform is on version 4.18.26050.3011 or later — this closes BlueHammer. It does not address RedSun or UnDefend.
- Check actual signature update timestamps across endpoints, not just service status. A healthy-looking endpoint that stopped receiving updates is a UnDefend indicator.
- Monitor user directories such as Pictures and Downloads for unexplained executable files, which is where attackers have been staging the exploit files in observed incidents.
- Watch for NTFS junction point creation and unusual Defender cloud file rollback activity in endpoint telemetry.
- Consider supplementary endpoint detection that does not rely solely on Defender during this gap period.
Derived from Huntress threat research, vendor security advisories, and independent vulnerability analysis
02 New Process Change
NIST stopped scoring most CVEs four days ago. Most organizations have not noticed.
NVD Policy · Apr 15
What happened
On April 15, NIST formally changed how it operates the National Vulnerability Database. CVE submissions increased 263% between 2020 and 2025, Q1 2026 is tracking a further one-third higher than last year, and NIST fell behind despite enriching 45% more CVEs in 2025 than any prior year. Under the new policy, NIST will only enrich CVEs that meet one of three criteria: the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, the software is used by the federal government, or the software qualifies as critical under Executive Order 14028. Every other CVE will still be listed in the NVD but categorized as lowest priority with no automatic CVSS score. All backlogged CVEs published before March 1, 2026 that have not yet been enriched are being moved to a permanent "Not Scheduled" category. FIRST forecasts 50,000 new CVEs in 2026, up from 42,000 enriched in 2025.
CyberSip™ Take
This change matters most to organizations that have built their patch prioritization workflow around NVD CVSS scores as the primary triage signal. If your process is "patch Critical and High first, review Medium later," and the severity scores are no longer being automatically generated for most CVEs, the workflow has a blind spot that just got significantly larger. NIST was explicit that CVEs outside the new criteria "may have a significant impact on affected systems" and that the new rules "may not catch every potentially high-impact CVE." That is the agency acknowledging the gap directly. The practical implication is that a vulnerability disclosed tomorrow against software your organization runs may arrive with no CVSS score, no enrichment, and no signal beyond the CVE ID and a description. Attackers are not waiting for NIST to catch up — they already know what is exploitable. Teams relying solely on NVD as a triage source should treat this week as the trigger to revisit their vulnerability management process and add a second signal source. CISA KEV remains authoritative for confirmed exploitation. Threat intelligence feeds, vendor advisories, and sources like VulnCheck fill the gap for everything else.
Recommended actions
- Audit your vulnerability management workflow for any step that relies solely on NVD CVSS scores as the patch priority signal.
- Ensure CISA KEV is a first-class input into your prioritization process. KEV CVEs will still receive same-day enrichment from NIST.
- Add at least one supplementary signal source beyond NVD: vendor security advisories, threat intelligence feeds, or VulnCheck's KEV catalog are all reasonable options.
- If you want NIST to enrich a specific CVE that falls outside the new criteria, you can now request it by emailing nvd@nist.gov.
Derived from official NIST policy announcement and independent security research
03 New Ops Alert
April patches causing Windows domain controllers to enter restart loops
April 2026 Updates
What happened
Microsoft has warned that some Windows domain controllers are entering restart loops after installing the April 2026 security updates. This is the second patch-induced operational failure from this month's update cycle, following the BitLocker recovery issue on Windows Server 2025 covered in Issue 5. Domain controllers running affected configurations are entering repeated restart cycles after the update is applied, disrupting authentication services and Active Directory availability for any systems depending on those controllers. Microsoft is investigating and has not yet released a remediation update.
CyberSip™ Take
Two patch-induced operational failures in a single April update cycle is an unusually high rate. The BitLocker recovery issue hit Windows Server 2025. This one hits domain controllers. Both create genuine outages without any attacker involvement. The practical tension this creates is real: the April cycle also contains a SharePoint zero-day fix, the Windows IKE CVSS 9.8 patch, and other critical remediations that security teams are under pressure to deploy. Holding back patches to avoid operational risk and applying patches quickly to close vulnerability windows are now in direct conflict on the same cycle. The right call depends on your environment, but the decision should be deliberate rather than defaulting to either extreme. Test on non-production domain controllers before rolling out broadly and have a rollback plan ready.
Recommended actions
- Before deploying April patches to domain controllers in production, test on a non-production DC and monitor for restart loop behavior.
- If domain controllers have already received the update and are restart-looping, Microsoft's current guidance is to uninstall the update and wait for a remediation release.
- Monitor Microsoft's support documentation for a fix — check the Known Issues tab for the April 2026 cumulative update.
- Ensure you have a secondary or read-only domain controller available for authentication continuity if a primary DC needs to be taken offline for remediation.
Derived from vendor support documentation and April 2026 Patch Tuesday analysis
Still watching
Aging items · days 2–7
Items here remain operationally relevant but have produced no significant new developments beyond what is covered above. They drop off after 7 days.
Apache ActiveMQ CVE-2026-34197 (Issue 6). Active exploitation ongoing. Federal deadline April 30. 7,500 exposed instances. Patch to 5.19.4 or 6.2.3.
Day 3
nginx-ui CVE-2026-33032 (Issue 5). Active exploitation confirmed. Patch to version 2.3.4. Check /mcp_message endpoint authentication.
Day 4
BitLocker recovery loop from KB5082063 (Issue 5). Verify recovery keys before rebooting any Windows Server 2025 system on the April patch.
Day 4
Cross-source standouts
What connects this week
01
The tools you rely on to see threats are becoming attack targets themselves
Defender is the security platform on virtually every Windows endpoint. The NIST NVD is the primary free signal source most teams use to decide what to patch. The April patch cycle itself has now produced two separate operational failures. This week has surfaced a consistent theme: the infrastructure of defense — the detection platforms, the data sources, the update mechanisms — is under pressure from multiple directions simultaneously. Organizations that have built their security posture around single points of reliance in any of these areas are carrying more risk than their dashboards currently show.
02
Patching is getting harder precisely when it needs to be faster
The April cycle delivered fixes for a SharePoint zero-day, a CVSS 9.8 Windows IKE flaw, and critical remediations across Fortinet, Adobe, and Exchange. It also produced BitLocker recovery loops on Windows Server 2025 and now domain controller restart issues. The pressure to patch quickly is real. The risk of patching without testing is also real. That tension is not new, but the frequency of patch-induced failures this cycle is unusually high. If you do not have a tested rollback procedure for domain controllers and Windows Server, this week is a prompt to build one.
Past issues · 7-day archive