– Federal agencies must patch RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) by June 3 to comply with CISA’s Binding Operational Directive 22-01.
– RedSun grants SYSTEM privileges via the Defender tiering engine; UnDefend blinds Defender entirely, enabling ransomware or lateral movement.
– Verify Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7 in Windows Security before the deadline.
– Three unpatched zero-days remain: YellowKey (BitLocker bypass), GreenPlasma (CTFMON privilege escalation), and MiniPlasma (cldflt.sys exploit, works on fully patched Windows 11/Server 2022/2025).
– Mitigate YellowKey immediately by disabling WinRE’s autofstx.exe and switching BitLocker from TPM-only to TPM+PIN.
Federal Agencies Face Urgent Microsoft Defender Patches Deadline
Federal agencies have until June 3 to apply fixes for two actively exploited Microsoft Defender vulnerabilities tied to the Nightmare Eclipse disclosure campaign. With that deadline 48 hours away, three additional Windows zero-days from the same researcher remain unpatched, and June 9 is the next opportunity Microsoft has to address them. The current situation demands immediante action from IT departments managing government systems.
Background on the Nightmare Eclipse Campaign and CISA Involvement
The saga began in early April when Nightmare Eclipse dropped BlueHammer (CVE-2026-33825), patched in the April 14 Patch Tuesday with its CISA deadline passing in early May. The current countdown is anchored by a separate CISA action on May 20, adding RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) to the Known Exploited Vulnerabilities catalog after Huntress confirmed active exploitation in real-world attacks. CISA mandated remediation under Binding Operational Directive 22-01 with a 14-day window. Thesse vulnerabilities are being actively used in attacks right now according to security researchers.
Technical Details of RedSun and UnDefend Vulnerabilities
RedSun targets the Defender tiering engine to escalate privileges to SYSTEM. UnDefend triggers a denial-of-service condition in the Antimalware Platform, blinding Defender entirely and creating a window for ransomware deployment or lateral movement without triggering alerts. Both vulnerabilities allow attackers to bypass critical security features in Windows Defender. The impact is severe for enterprise environments where Defender is a primary line of defense.
Required Version Numbers for Patching
Both are fixed in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. Verify those version numbers in Windows Security settings before June 3. Administrators should check these version numbers manually to ensure updates have been applied correctly. Failure to meet this deadline could result in compliance violations for federal agencies.
Additional Unpatched Zero-Days From Nightmare Eclipse
YellowKey (CVE-2026-45585) bypasses BitLocker on TPM-only systems via the Windows Recovery Environment, allowing physical access to unlock encrypted drives without a recovery key. GreenPlasma is a CTFMON privilege escalation flaw with no CVE and no patch. MiniPlasma re-exploits CVE-2020-17103 in cldflt.sys, a 2020 flaw whose patch was either incomplete or silently regressed. These vulnerabilities present serious risks for organisations that rely on BitLocker for data protection.
Confirmed Exploitation on Modern Windows Systems
ThreatLocker and Will Dormann confirmed it still produces a SYSTEM shell on fully patched Windows 11 and Windows Server 2022 and 2025. Windows 10 is unaffected, which matters for teams managing mixed fleets. This discrepency means administrators cannot assume all systems are equally vulnerable. Testing should be conducted on relevant operating systems to understand exposure.
Mitigation Steps for YellowKey BitLocker Bypass
For YellowKey, run reagentc /disable, mount the offline WinRE registry hive, remove autofstx.exe from BootExecute under ControlSet001ControlSession Manager, then run reagentc /enable to commit the change. Transition BitLocker from TPM-only to TPM+PIN wherever possible. This manual process is required until Microsoft releases an official patch. Organisations should prioritise this mitigation for high-security systems.
Future Timeline for Remaining Vulnerabilities
Nightmare Eclipse has signalled a July 14 release targeting that month’s Patch Tuesday. This provides a timeline for planning additional security updates. Cisa.gov Microsoft/CVE-2026-41091 Microsoft/CVE-2026-45498
