- microsoft
- defender
- cve
- denial-of-service
- windows
- edr
- local
news
UnDefend: Defender Update-Pipeline DoS (CVE-2026-45498)
Nightmare-Eclipse standard-user PoC locks Defender signature/engine files — passive mode blocks updates, aggressive mode can disable the engine on platform updates; CISA KEV.
Summary
UnDefend is the third Nightmare-Eclipse cluster tool — a denial-of-service weapon against Microsoft Defender published in April 2026. Unlike BlueHammer and RedSun, it requires no privilege escalation primitives: a standard local user can disrupt Defender's ability to update signatures or, in aggressive mode, disable the engine during major platform update cycles. Microsoft assigned CVE-2026-45498 and patched in Defender Antimalware Platform 4.18.26040.7 (May 2026 OOB, engine 1.1.26040.8). CISA KEV and confirmed in-the-wild exploitation followed.
The PoC README describes two modes: passive blocks all signature updates so new Microsoft threat intelligence never reaches the host; aggressive targets complete Defender disablement when a major platform update (MsMpEng.exe and related binaries) is pending — passive is the default because platform updates are infrequent. The researcher also claims unpublished code can spoof Defender health telemetry (MSFT_MpComputerStatus / Intune-visible "protected" state) while the product is degraded — that component was intentionally withheld from release.
Huntress documented UnDefend deployed alongside RedSun in live intrusions: freeze detection baseline, then escalate privileges. OFFSITE.DARK indexes the public PoC and defensive analysis only.
Technical Details
| Aspect | Detail |
|---|---|
| CVE | CVE-2026-45498 |
| Component | Microsoft Defender Antimalware Platform — signature and engine update pipeline |
| Root cause | Exclusive file locking on critical Defender update artifacts without elevation |
| Privileges required | Standard local user (no admin, no SYSTEM) |
| Modes | Passive (signature update block) / Aggressive (engine disable on platform update) |
| Patch | Defender platform ≥ 4.18.26040.7 |
| CVSS | 4.0 Medium (DoS classification) |
| Typical symptom | Windows Update error 80070643 during Defender signature update attempts |
UnDefend is structurally simpler than junction-based LPE siblings. Public analysis (nefariousplan.com, CSA) describes four independent locking mechanisms in ~450 lines of C++ — any one can succeed if others fail. The tool uses longstanding Windows file-locking primitives to hold exclusive locks on paths Defender must write during update, causing silent degradation rather than crash loops.
Operational pairing in attack chains
| Stage | Tool | Effect |
|---|---|---|
| 1 | UnDefend (passive) | Signature pipeline frozen — new detections for post-exploitation payloads fail |
| 2 | RedSun / BlueHammer | LPE to SYSTEM using stale signature baseline |
| 3 | (Withheld spoofing) | Management consoles may still report healthy Defender state |
Defender Event ID and SCCM/Intune health checks that rely on WMI MSFT_MpComputerStatus without corroborating behavioral telemetry are insufficient when spoofing techniques exist — even though the full spoofing PoC was not published.
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-45498 |
| CVSS 3.1 | 4.0 Medium |
| Published | 2026-05-20 (May 2026 OOB cycle) |
| Fixed version | Microsoft Defender Antimalware Platform 4.18.26040.7 |
| Exploit status | Weaponized PoC; CISA KEV; ITW with RedSun |
Impact
- Defense evasion — endpoints run with outdated signatures while appearing operationally normal to update-dependent workflows.
- Persistence enabler — subsequent malware faces weakened static detection until updates succeed or Tamper Protection intervenes.
- No elevation required — any compromised standard user can attempt disruption without prior admin access.
- Enterprise blind spots — compliance dashboards showing green Defender status may not reflect degraded protection if health telemetry is spoofed (unpublished technique; researcher-confirmed).
Mitigation
- Deploy Defender platform ≥ 4.18.26040.7 and verify engine ≥ 1.1.26040.8 enterprise-wide.
- Enable Tamper Protection and EDR block mode so cloud-delivered rules can fire even when local signature refresh fails.
- Alert on repeated error 80070643 across multiple endpoints simultaneously (possible coordinated UnDefend deployment).
- Correlate WMI health status with behavioral signals: failed signature age,
MpSigStub.exelock failures, anomalous exclusive handles on Defender data directories. - Treat UnDefend indicators as precursor activity — isolate and hunt for cluster LPE tools (RedSun, RoguePlanet) on affected hosts.
Sources
- Project Nightcrawler — NightmareEclipse/UnDefend (primary PoC source)
- Church of Malware git — Nightmare_Eclipse/UnDefend (historical mirror)
- Microsoft MSRC — CVE-2026-45498
- SecurityWeek — UnDefend and RedSun OOB patches
- CSA Research — Defender triple zero-day note
- nefariousplan.com — UnDefend analysis
- OFFSITE.DARK — RoguePlanet cluster index