What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

Broken Shield: The Windows Defender LPE Trilogy (BlueHammer / RedSun / UnDefend) Meets Entra ID SSRF CVSS 10.0 — A Complete Defender Playbook | Lyrie Research

← Defensive Playbook

0 sources verified·12 min read

By Lyrie.ai Senior Analyst Desk·5/7/2026

TL;DR

Three Windows Defender zero-days dropped within a 13-day window in April 2026. Microsoft patched exactly one of them. The surviving pair — RedSun and UnDefend — remain unpatched and actively exploited as of this writing. Layered on top: CVE-2026-35431, a CVSS 10.0 Server-Side Request Forgery vulnerability in Microsoft Entra ID (formerly Azure Active Directory), which Microsoft resolved server-side but which exposes a critical conceptual weakness in how cloud identity surfaces handle internal request routing. Together these four vulnerabilities describe a coherent and immediately exploitable kill chain: a low-privileged Windows user becomes SYSTEM, kills the one detection layer that might catch the next move, and then pivots directly into cloud identity infrastructure via an SSRF that spoofs requests to attacker-controlled endpoints. This playbook tells you how each piece works and exactly what to do about it.

Background: When Your Antivirus Becomes the Attack Surface

There is a particular cruelty to vulnerabilities discovered in security software itself. Defenders spend years hardening endpoints, deploying EDR, enforcing least privilege — and then the mechanism of enforcement becomes the vector. This is not a new pattern (Symantec, Sophos, Trend Micro have all had their moments), but the April 2026 Windows Defender cluster is notable for its density and its pairing with a simultaneous identity-layer critical.

On April 3, 2026, a researcher operating under the handle "Chaotic Eclipse" dropped a fully functional Windows local privilege escalation exploit on GitHub with no coordinated disclosure and no CVE assignment — a raw PoC dump. The exploit, later named BlueHammer, abused a race condition in Defender's threat remediation engine. Microsoft scrambled and included a patch for BlueHammer as CVE-2026-33825 (CVSS 7.8) in the April 8 Patch Tuesday cycle.

What they did not patch: RedSun and UnDefend, two additional exploits that surfaced in the same 13-day window, each attacking different subsystems of Defender's architecture. By April 10 — two days after the patch dropped — Huntress threat intelligence observed a hands-on-keyboard threat actor gain initial access through a compromised SSL VPN account and then escalate privileges using one of the remaining unpatched Defender vulnerabilities. The attacker was not a theoretical construct. They were operational.

The Entra ID story runs in parallel. CVE-2026-35431 is a Server-Side Request Forgery in Microsoft Entra ID's application-level request processing. It carries the maximum CVSS score of 10.0 and an EPSS score of 0.07 — low exploitation probability according to statistical models, but the CVSS 10 indicates zero authentication required, any network access, and complete impact across all three security pillars. Microsoft states the vulnerability was remediated server-side in May 2026, meaning no end-user patch action is required, but the attack surface it exposed is architectural and worth understanding deeply.

Technical Analysis

CVE-2026-33825 — BlueHammer: TOCTOU in Defender's Remediation Engine

The root cause is a classic time-of-check to time-of-use (TOCTOU) race condition inside Windows Defender's file remediation subsystem — the component responsible for cleaning up detected malware files. The attack proceeds as follows:

1. Trigger detection. The attacker places a file that matches a Defender signature. Defender's real-time protection engine detects it and initiates automated remediation. At this point Defender opens the file with SYSTEM-level privileges and prepares to delete or quarantine it.

2. Oplock pause. The exploit registers a batch opportunistic lock (oplock) on the target file, which pauses Defender's file I/O at a critical juncture — the moment between Defender's path validation check and its actual write operation.

3. Filesystem manipulation. During the oplock pause window (typically 50–200ms), the exploit creates an NTFS junction point (a reparse point / symbolic directory link) in the temporary directory that Defender is targeting. This junction redirects Defender's target path from the attacker-controlled temp directory to C:\Windows\System32.

4. Release and overwrite. When the oplock is released, Defender resumes execution, follows the junction blindly under its SYSTEM privileges, and writes to the redirected System32 path. The attacker has positioned a malicious binary at the expected System32 target filename.

5. SYSTEM execution. The overwritten system service binary executes on the next service start, delivering SYSTEM-level code execution to the unprivileged attacker.

Affected versions: Microsoft Defender Antimalware Platform versions prior to 4.18.26030.3011. All supported Windows 10/11 and Server 2016–2025. Patched in April 2026 Patch Tuesday.

RedSun: Cloud Rollback Mechanism Abuse (UNPATCHED)

RedSun attacks a different Defender component: the cloud file rollback mechanism. When Defender detects and quarantines a cloud-tagged file (a file with the FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS attribute or cloud placeholder status), it attempts to restore the original version via the Windows Cloud Files API. The flaw: Defender does not validate the restoration target path before performing a privileged write.

The attacker:

1. Crafts a malicious file and marks it as a cloud placeholder via the Windows Cloud Files API (CfCreatePlaceholders).

2. Triggers a Defender detection on the crafted file.

3. At the moment Defender initiates rollback, the attacker races to swap the target path via filesystem manipulation.

4. Defender writes the "original" (attacker-supplied) file to a privileged directory under SYSTEM context.

The result is the same: SYSTEM-level file write, enabling privilege escalation. No patch available as of May 7, 2026.

UnDefend: The Silent Degradation Exploit (UNPATCHED)

UnDefend operates on a longer timeline and at a lower noise level. Rather than escalating privileges directly, it targets Defender's signature update mechanism, specifically the integrity verification logic for delta signature packages. By manipulating how Defender processes incremental definition updates, UnDefend can:

Silently stall definition updates, leaving Defender's detection capability frozen at a prior state
Over time (24–72 hours in test environments), degrade detection rates for common malware families as new signatures go unapplied
Suppress update failure notifications in some configurations, making the degradation invisible to end users and local logging

When used in sequence with an LPE exploit, UnDefend functions as a persistence enabler: first BlueHammer/RedSun delivers SYSTEM access; then UnDefend ensures Defender stays blind to the next stage implant. No patch available as of May 7, 2026.

CVE-2026-35431 — Entra ID SSRF: CVSS 10.0

Entra ID (Microsoft's cloud identity platform serving authentication, conditional access, and token issuance for hundreds of millions of enterprise accounts) contains a Server-Side Request Forgery vulnerability in an application-layer request processing component. The flaw allows an unauthenticated attacker who can reach Entra ID's service endpoints to cause the Entra ID service to make outbound HTTP requests to attacker-specified internal or external destinations.

SSRF vulnerabilities in cloud identity systems are disproportionately dangerous for three reasons:

1. Internal network reach. Entra ID services run inside Microsoft's Azure backbone, which has privileged network paths to other internal Azure services including the Instance Metadata Service (IMDS) of Azure VMs, Azure Resource Manager APIs, and internal service meshes. An SSRF on Entra ID is not the same as an SSRF on a simple web app — the blast radius includes Azure-internal metadata and token endpoints unreachable from the public internet.

2. Credential/token reachability. IMDS on Azure VMs exposes managed identity tokens at http://169.254.169.254/metadata/identity/oauth2/token. A single successful SSRF pivot to this endpoint yields a valid OAuth bearer token for the VM's managed identity, potentially scoped to read Key Vault secrets, write to Storage Accounts, or modify resource group permissions.

3. Network spoofing amplification. At CVSS 10.0, CVE-2026-35431 received maximum scores across all three impact categories (Confidentiality / Integrity / Availability). The network spoofing potential means an attacker could use the Entra ID service as an unwitting request forwarder to conduct internal reconnaissance, port scanning of Azure-private RFC1918 ranges, or token harvesting — all originating from a trusted Microsoft IP.

Microsoft applied a server-side fix in early May 2026, meaning the vulnerability is remediated without end-user action for cloud-hosted Entra ID tenants. However, hybrid or sovereign-cloud deployments with local Entra ID components may require additional attention.

The Combined Kill Chain

The operational sequence an adversary following current in-the-wild behavior would run:

[1] Initial Access
    └── Compromised low-priv credential (VPN/RDP/phishing)
        └── Authenticated session as standard user on Windows endpoint

[2] Privilege Escalation (Defender LPE)
    └── CVE-2026-33825 (BlueHammer) if unpatched — OR —
    └── RedSun if patch deployed (RedSun still 0-day)
        └── SYSTEM-level code execution

[3] Defense Suppression
    └── UnDefend: stall Defender definition updates
    └── Remove monitoring hooks, disable audit logging

[4] Credential Harvest
    └── Dump LSASS / Mimikatz / token theft
    └── Extract Entra ID refresh/access tokens from credential cache

[5] Cloud Pivot (if Entra ID SSRF window still viable)
    └── CVE-2026-35431: forge requests from Entra ID to IMDS
    └── Harvest Azure managed identity OAuth tokens
    └── Access Key Vault, Storage, resource management APIs

[6] Persist / Exfiltrate
    └── Backdoor Azure service principal
    └── Create rogue OAuth app registration
    └── Exfiltrate data through legitimate storage or egress channels

Huntress observed exactly steps 1–3 confirmed in the wild as of April 10, 2026. Steps 4–6 remain the logical continuation observed in prior cloud-hybrid attack campaigns (LAPSUS$, Storm-0558 pattern) and represent the expected progression.

IOCs and Detection Indicators

File System / Process Indicators:

NTFS junction points (\??\ -prefixed paths) created in TEMP directories by non-admin processes
MsMpEng.exe writing to C:\Windows\System32\ (anomalous parent path)
Batch oplock handles held by user-space processes against Defender quarantine directories
Cloud Files API calls (CfCreatePlaceholders) from unsigned or low-rep processes
MpCmdRun.exe -SignatureUpdate returning errors repeatedly without user notification

Entra ID / Azure Indicators:

Unusual outbound HTTP requests from Microsoft Azure IP ranges to RFC1918 or IMDS IP spaces
New OAuth application registrations created shortly after interactive login (sign-in logs)
Managed identity token requests with anomalous client_id or unusual calling application
Entra ID conditional access policy changes from previously unseen IP addresses
Service principal credential additions outside normal provisioning windows

Defender Update Degradation:

HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates → SignatureVersion not advancing daily
Event ID 2001 (definition update failed) repeated without subsequent 2000 (success) in 24+ hour windows
WMI query: Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated — stale dates
SignatureAge > 3 days in Get-MpComputerStatus output

Lyrie Take

This cluster reveals a structural tension in how modern endpoint security is architected. Windows Defender runs with SYSTEM privileges by design — it needs that access to remediate malware that has embedded itself in protected paths. But SYSTEM-level processes that perform privileged writes based on attacker-influenceable file paths, without adequate time-of-use validation, are precisely the kind of target that sophisticated attackers spend months finding. The TOCTOU class of vulnerability is decades old. Finding three exploitable instances in a single product's subsystems within 13 days suggests either systemic under-investment in race-condition auditing for Defender's internals, or that a dedicated research effort specifically targeted Defender's privileged I/O operations — which is exactly what red teams and nation-state pre-positioning groups do when preparing for a campaign.

The Entra ID SSRF at CVSS 10.0 is the broader story. Identity platforms — Okta, Entra ID, Ping, CyberArk — are now first-class attack targets. They sit at the intersection of on-premise networks and cloud infrastructure, they authenticate tokens with massive blast-radius scopes, and they run on complex internal microservice architectures with rich internal HTTP routing. SSRF vulnerabilities in identity platforms are not accidents; they are the predictable consequence of SSRF being treated as a "web app" problem rather than an infrastructure-layer threat. Every identity platform should have SSRF hardening as a first-class security requirement, not an afterthought.

For organizations running Windows + Entra ID (the overwhelming majority of the Fortune 10,000), this week's threat landscape represents a near-complete bypass pathway from a single phished credential to full cloud infrastructure access. That should concentrate minds.

Defender Playbook — Immediate Actions

Priority 1: Patch Windows Defender (Within 24 Hours)

Verify current Defender Antimalware Platform version:

Get-MpComputerStatus | Select-Object AMProductVersion, AntivirusSignatureVersion, AntivirusSignatureLastUpdated

Target: AMProductVersion ≥ 4.18.26030.3011 (the version containing the CVE-2026-33825 patch).

If below target:

# Force signature + platform update
Update-MpSignature -UpdateSource MicrosoftUpdateServer

Or via WSUS/SCCM/Intune — ensure Defender platform updates (distinct from definition updates) are delivered and not blocked by any policy that defers feature updates.

For RedSun and UnDefend (no patch yet):

Apply workaround controls (see Priority 3) and monitor Microsoft MSRC for emergency out-of-band patches. Subscribe to MSRC security update notifications at https://msrc.microsoft.com/update-guide/en-US/security-update-notification-preferences.

Priority 2: Verify Entra ID Remediation Coverage

Microsoft applied a server-side fix for CVE-2026-35431. Confirm your tenant is fully covered:

Worldwide and GovCloud tenants: Server-side remediation is automatic; no action required.
Sovereign/air-gapped/21Vianet: Check with your Microsoft account team for patch delivery timeline.
On-premises Active Directory Federation Services (ADFS): CVE-2026-35431 targets cloud Entra ID. If you use ADFS rather than cloud Entra ID, your exposure profile is different — audit your ADFS deployment for SSRF vectors independently.

Audit for post-exploitation indicators in Entra ID logs:

// Unusual new app registrations
AuditLogs
| where OperationName == "Add application"
| where TimeGenerated > ago(14d)
| project TimeGenerated, InitiatedBy, Result, TargetResources

// Service principal credential additions
AuditLogs
| where OperationName contains "Add service principal credentials"
| where TimeGenerated > ago(14d)

Priority 3: Harden Against Unpatched RedSun / UnDefend

Restrict Cloud Files API access:

# Block CldFlt driver (Cloud Filter Driver) if cloud sync (OneDrive) is not required
sc config CldFlt start=disabled

For environments using OneDrive: restrict which processes can call CfCreatePlaceholders via AppLocker / WDAC rules limiting Cloud Files API use to OneDrive.exe and explicitly signed binaries.

Monitor Defender definition freshness via scheduled task:

# Alert if signature age > 2 days
$status = Get-MpComputerStatus
if ($status.AntivirusSignatureAge -gt 2) {
    Write-EventLog -LogName Application -Source "DefenderAgeCheck" -EventId 9001 -EntryType Warning -Message "Defender signatures aged $($status.AntivirusSignatureAge) days — possible UnDefend activity"
}

Enable Defender Tamper Protection via Intune:

Endpoint Security → Antivirus → Microsoft Defender Antivirus → Tamper Protection: Enabled

Tamper Protection prevents UnDefend from modifying update configurations via API calls outside of management channels.

Priority 4: Reduce TOCTOU Exposure Surface

Enable Windows Defender Credential Guard on all endpoints — limits the credential dumping step that bridges LPE to cloud pivot.
Restrict NTFS symbolic links / junction creation for non-admin users via Group Policy: Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → Create Symbolic Links — remove BUILTIN\Users.
Deploy File System Access Auditing on C:\Windows\System32\ for write events by non-SYSTEM processes.
Enforce Exploit Protection (Exploit Guard → Force Randomization for Images (Mandatory ASLR)) on MsMpEng.exe to increase race condition exploitation difficulty.

Priority 5: Contain Cloud Blast Radius

Audit managed identity scopes. Pull all managed identity role assignments across subscriptions: az role assignment list --all --include-classic-administrators. Remove any Contributor or Owner assignments from VM managed identities not explicitly required.
Enforce Conditional Access Policies requiring Compliant Device for all Entra ID sign-ins, including service principal interactive flows.
Enable Privileged Identity Management (PIM) for all Azure AD roles. Just-in-time elevation prevents rogue service principal escalation.
Block IMDS access from unexpected processes: On Azure VMs, firewall 169.254.169.254:80 to only be accessible by the management agent and authorized applications via OS-level iptables/Windows Firewall rules.

Priority 6: Detection Engineering

Add the following detections to your SIEM / EDR platform:

| Detection | Signal | Severity |

|---|---|---|

| Defender LPE attempt | MsMpEng.exe writes to System32\ via junction path | Critical |

| Oplock abuse | User process holds batch oplock on Defender quarantine path | High |

| Cloud File placeholder creation | CfCreatePlaceholders call from unsigned process | High |

| Defender definition stall | AntivirusSignatureAge > 48h without update success event | High |

| New Entra app registration | Outside change window or from unrecognized IP | High |

| IMDS token fetch anomaly | 169.254.169.254 metadata request from non-agent process | Critical |

Sources

1. Picus Security — "BlueHammer & RedSun: Windows Defender CVE-2026-33825 Zero-day Vulnerability Explained" (May 4, 2026): https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained

2. Tech Jacks Solutions — "Unpatched Windows Defender LPE Zero-Days (RedSun, UnDefend) Under Active Exploitation After PoC Leak" (May 5, 2026): https://techjacksolutions.com/scc-intel/unpatched-windows-defender-lpe-zero-days-redsun-undefend-under-active-exploitation-after-poc-leak-cve-2026-33825-bluehammer-patched/

3. IT-Boltwise — "Sicherheitslücken in Microsoft Defender und Entra ID: Dringende Updates erforderlich" (May 4, 2026): https://www.it-boltwise.de/sicherheitsluecken-in-microsoft-defender-und-entra-id-dringende-updates-erforderlich.html

4. Security-Insider — "Aktiv ausgenutzte Microsoft Defender LPE & Entra ID SSRF" (May 4, 2026): https://www.security-insider.de/microsoft-defender-lpe-cve-2026-33825-entra-id-ssrf-cve-2026-35431-a-33bdc775a7c3a02bc92508053041b47a/

5. Cyderes — "BlueHammer: Inside the Windows Zero-Day" (April 2026): https://www.cyderes.com/howler-cell/windows-zero-day-bluehammer

6. CISA Known Exploited Vulnerabilities Catalog — CVE-2026-33825 entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

7. Microsoft MSRC — CVE-2026-33825: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825

Lyrie.ai Cyber Research Division — Senior Analyst Desk