← All posts

Threat brief · 6 min read

Windows Defender 0-days are being exploited right now. Here's what to actually do.

Through spring 2026, a string of Windows zero-day vulnerabilities went public, most of them in Windows Defender itself, and several are now being used in real attacks. If you run Windows (you do), here's the honest version: what's happening, who's actually at risk, and the specific things that shrink your exposure today. No scare tactics, no selling-by-panic.

What actually happened

After a public dispute with Microsoft, an anonymous researcher, the disclosure campaign is now tracked as "Nightmare-Eclipse", published a rapid run of Windows zero-days: roughly seven in about ten weeks. Almost all of them are local privilege-escalation (LPE) flaws in or around Windows Defender, and several shipped with working proof-of-concept code.

Since then, multiple security outlets have reported these being used in real-world attacks. At least one of the cluster, a flaw in Defender's signature-update workflow, tracked as CVE-2026-33825, has a CVE assigned; others are still being catalogued, and some remain unpatched zero-days as of this writing. One widely-analyzed member (nicknamed "RoguePlanet") has been reported to work even on otherwise up-to-date Windows 10 and 11.

What "privilege escalation" means for you, without the jargon

An LPE bug isn't the front door. It's what an attacker does after they already have a small foothold. It takes a normal, limited user account and elevates it to SYSTEM, the highest level of control on a Windows machine.

Why that matters: it turns a minor incident, a phishing click, one malicious download, a single weak app, into total control of the machine. With SYSTEM, an attacker can disable security tools, install themselves permanently, and spread to other computers. The uncomfortable part of this particular batch is that some of them work on machines that are otherwise fully patched, because the fix for that specific bug simply isn't out yet.

Who's actually at risk

Anyone running Windows endpoints, but exposure isn't equal. You're more exposed if:

• You're slow to patch, or you patch Windows but forget Defender's own platform and engine updates.
• Standard users can mount ISO or VHD disk images. That's a precondition for several of these techniques.
• Defender's protections are off or weakened, tamper protection disabled, real-time protection off, signatures stale.
• You have little to no monitoring, so an elevation would go unseen.

An honest read: a single, well-patched, careful home PC is lower risk than an unmanaged 12-PC office that's a month behind on updates. Attackers run these opportunistically. They don't pick you, they pick whoever's exposed. The goal here isn't panic; it's knowing exactly where you stand.

What to actually do, the short list

• Patch fast, and don't forget Defender itself. Apply the latest cumulative updates and Defender platform/engine updates (these often ship out-of-band). A monthly cadence is the floor, not the goal.
• Shrink the ISO/VHD attack surface. Several of these need a standard user to mount a disk image. Restrict non-admin disk-image mounting by policy where you can, a cheap, high-value win.
• Keep Defender's guardrails on. Tamper Protection on, real-time protection on, signatures current. These exploits attack Defender; a tampered or stale Defender is a weaker barrier.
• Turn on Attack Surface Reduction (ASR) rules and, where feasible, application control (WDAC/AppLocker). They can stop unknown exploit binaries from ever running.
• Least privilege plus monitoring. The less standing privilege an account carries, the smaller the blast radius, and good monitoring catches the tells (a non-admin mounting an ISO, a SYSTEM process spawned by a normal user app) even when no patch exists yet.

When there's no patch yet, the answer isn't panic. It's compensating controls and monitoring. You can be defensible against a zero-day before the fix ever ships.

How we approach it, and what we won't do

We built a read-only exposure check for exactly this class of flaw. It looks at the factors that decide your risk, patch recency, Defender's hardening state, ASR rules, and the ISO-mount precondition, and rates your posture with a concrete, prioritized fix list.

What it is not: it is not exploitation. We don't run these techniques against your machines, and because several of these are still unpatched zero-days, no honest tool can promise a clean "you're immune." What we can do is measure your real exposure, apply the compensating controls, put monitoring on the warning signs, and prove what changed. Find it, fix it, prove it's closed.