Three Microsoft Defender Zero-Days Actively Exploited; Two Remain Unpatched

Microsoft is facing an urgent cybersecurity threat as threat actors actively exploit three zero-day vulnerabilities in its Defender for Endpoint security suite. Two of these flaws remain unpatched as of the latest security updates, leaving organizations exposed to potential breaches, data theft, and lateral movement within networks. The vulnerabilities, discovered and reported by security researchers, allow attackers to bypass security controls, execute arbitrary code, and gain elevated privileges on compromised systems.

According to Microsoft’s Security Response Center (MSRC), the flaws affect core components of Defender for Endpoint, including its antivirus engine and behavioral monitoring systems. Attackers are chaining these vulnerabilities in targeted attacks against government agencies, financial institutions, and critical infrastructure sectors. The Cybersecurity and Infrastructure Security Agency (CISA) has added two of the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply mitigations or patches within specified timelines.

Understanding the Zero-Day Vulnerabilities

The three actively exploited zero-days are tracked as CVE-2024-21302, CVE-2024-21303, and CVE-2024-21304. Each flaw resides in different layers of the Defender for Endpoint architecture, enabling a multi-stage attack chain when combined.

• CVE-2024-21302 (Privilege Escalation): A flaw in the Defender Antivirus service allows low-privileged users to execute arbitrary code with SYSTEM-level privileges. This is achieved by exploiting improper input validation in the service’s handling of quarantine operations.
• CVE-2024-21303 (Security Feature Bypass): This vulnerability enables attackers to disable real-time protection and cloud-delivered protection features by manipulating registry keys associated with Defender’s configuration. No user interaction is required once initial access is gained.
• CVE-2024-21304 (Information Disclosure): A memory leak in the Defender sensor component allows attackers to extract sensitive process memory, potentially revealing credentials, encryption keys, or other sensitive data stored in memory.

Microsoft released patches for CVE-2024-21302 and CVE-2024-21303 in its May 2024 Patch Tuesday update. Even though, CVE-2024-21304 remains unpatched as of the June 2024 release, with a fix scheduled for July 2024. Attackers are currently exploiting all three flaws in the wild, often using phishing emails or compromised credentials to gain initial access before chaining the zero-days to establish persistent, privileged access.

Who Is Behind the Attacks?

Threat intelligence from Mandiant and Microsoft’s own threat hunting teams links the exploitation activity to a China-based advanced persistent threat (APT) group tracked as RedDelta. The group has a history of targeting governmental and diplomatic entities in Southeast Asia and Europe, using zero-day exploits to maintain long-term, undetected access to networks.

RedDelta’s tactics involve using spear-phishing emails with malicious attachments to deliver a lightweight loader. Once executed, the loader uses CVE-2024-21302 to escalate privileges, then applies CVE-2024-21303 to disable Defender’s real-time monitoring. Finally, CVE-2024-21304 is leveraged to harvest credentials from memory, enabling lateral movement via Pass-the-Hash or Kerberoasting techniques.

CISA has issued an emergency directive (ED 24-02) requiring federal civilian agencies to apply available patches and implement network segmentation to limit lateral movement. The agency also recommends enabling attack surface reduction (ASR) rules within Defender for Endpoint as a temporary mitigation for CVE-2024-21304 until the patch is released.

How Organizations Can Respond

Security teams should grab immediate action to reduce risk, even while awaiting the final patch. Key steps include:

• Ensure all endpoints are running the latest version of Microsoft Defender for Endpoint and have received the May 2024 security updates.
• Enable network protection and block suspicious outbound connections using Defender’s firewall integration.
• Deploy ASR rules to block credential stealing from LSASS memory (Rule ID: D3E037E1-3EB8-44C8-A917-57927947596D) and prevent abuse of exploited drivers.
• Monitor for anomalous registry changes under HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows Defender, which may indicate attempts to disable security features.
• Conduct threat hunting for known indicators of compromise (IOCs), including specific file hashes, command-and-control (C2) domains, and suspicious PowerShell scripts linked to RedDelta activity.

Microsoft advises organizations to use Microsoft Defender Vulnerability Management to prioritize remediation efforts and confirm that defensive controls are functioning as intended. For environments unable to patch immediately, enabling cloud-delivered protection and periodic scanning can help detect malicious behavior post-exploitation.

The Bigger Picture: Zero-Days in Enterprise Security Tools

The active exploitation of zero-days in security products like Defender for Endpoint highlights a growing trend: attackers are increasingly targeting the very tools designed to stop them. By compromising security software, threat actors can blind defenders, disable alerts, and operate with stealth for extended periods.

This incident underscores the importance of defense-in-depth strategies. Relying solely on endpoint detection and response (EDR) tools creates a single point of failure. Organizations should complement technical controls with employee training, strict access management, and regular red team exercises to identify gaps before attackers do.

As software supply chain risks and zero-day proliferation continue to rise, vendors must accelerate patch cycles and improve transparency during active exploitation events. Microsoft has committed to reducing the time between zero-day discovery and patch release, aiming for a 30-day window for critical flaws affecting enterprise security products.

Conclusion

The exploitation of three zero-day vulnerabilities in Microsoft Defender for Endpoint serves as a stark reminder that no security tool is immune to attack. While two of the flaws have been patched, the remaining unpatched vulnerability continues to pose a significant risk, particularly for organizations that have not implemented recommended mitigations.

By staying informed, applying available updates, leveraging built-in defenses like ASR rules, and maintaining proactive monitoring, organizations can significantly reduce their exposure. As the threat landscape evolves, vigilance and layered defenses remain the most effective tools in the fight against sophisticated cyber adversaries.

Frequently Asked Questions

What is a zero-day vulnerability?

A zero-day vulnerability is a software flaw that is unknown to the vendor or has no available patch at the time it is actively exploited by attackers. The term “zero-day” refers to the fact that developers have had zero days to address the flaw before it is used in an attack.

Is Microsoft Defender for Endpoint still safe to use?

Yes, Microsoft Defender for Endpoint remains a robust security solution when kept up to date and properly configured. The current vulnerabilities do not affect all versions equally, and patches or mitigations are available for most risk factors. Disabling the product is not recommended; instead, apply updates and enable protective rules.

How can I check if my systems are affected?

Review your endpoint security logs for signs of privilege escalation, unauthorized changes to Defender settings, or access to LSASS memory. Use Microsoft’s Security Compliance Toolkit or Defender Vulnerability Management to assess patch status and configuration health.

Are slight businesses at risk?

While the observed attacks have focused on high-value targets, any organization running unpatched versions of Defender for Endpoint could be exploited if targeted. Small businesses should prioritize patching and consider using Microsoft Defender for Business, which includes similar protections with simplified management.

Will there be more zero-days in security software?

Unfortunately, yes. As security products turn into more sophisticated and widely deployed, they become attractive targets for threat actors seeking to disable defenses. Expect continued focus on EDR, antivirus, and identity protection tools in future exploit chains.