Zero-Day Exploits Turn Windows Defender Into Attack Platform

Security researchers at SentinelOne and CrowdStrike have disclosed three proof‑of‑concept (PoC) exploits that abuse Microsoft Windows Defender’s built‑in components to execute code with SYSTEM privileges. Two of the flaws remain unpatched, and active exploitation has been observed in targeted attacks across North America and Europe.

The first exploit leverages a use‑after‑free vulnerability (CVE‑2024‑21412) in the Antimalware Scan Interface (AMsi) driver used by MsMpEng.exe. By crafting a specially‑formed scan request, an attacker can corrupt memory structures and redirect execution flow to load a malicious DLL that runs with the same privileges as Defender. The second flaw, an integer‑overflow weakness (CVE‑2024‑21413) in the signature‑update module of the MpDefenderCore.sys driver, allows an attacker to write arbitrary data to kernel memory, paving the way for a kernel‑level payload that persists across reboots. The third PoC demonstrates a DLL‑hijacking issue in the Windows Defender GUI (mpengine.exe) where a user‑writable folder is placed ahead of the legitimate DLL search path, enabling the loader to inject a rogue library that intercepts Defender API calls.

According to the joint advisory, the two unpatched zero‑days are being actively used by a threat cluster tracked as APT KRYPTON, which historically focuses on espionage‑oriented operations. The attackers are observed deploying the exploits in phishing‑borne payloads that drop a benign‑looking update package, which then triggers the vulnerable code path within Defender. The patched third exploit (CVE‑2024‑21414) was addressed in Microsoft’s February 2024 security update, underscoring the urgency for organizations to apply the latest Defender signatures.

Microsoft has released an emergency patch for CVE‑2024‑21412 and recommends enabling HVCI (Hypervisor‑protected Code Integrity) and the Windows Defender Attack Surface Reduction (ASR) rule “Block execution of potentially obfuscated scripts.” Security teams are advised to monitor for anomalous DLL loads in %ProgramFiles%\Windows Defender and to audit signed‑binary verification logs for unexpected changes. Until the remaining patches are deployed, employing application whitelisting and restricting user write access to system directories can mitigate the risk of DLL‑hijacking attacks.