If your small business is running Windows and you assumed Microsoft Defender was quietly handling endpoint security in the background, April 2026 just handed you a serious wake-up call.
Three Windows Defender zero-days are currently being actively exploited in the wild. Two of them remain unpatched. And the timeline between discovery and exploitation is shrinking faster than most small businesses can respond.
This isn't a theoretical risk. It's a live exposure window — and your patch schedule may not close it in time.
What's Actually Happening With Defender Right Now
According to The Hacker News, security firm Huntress is actively warning that three Defender zero-days — including one dubbed "RedSun" — are being exploited in the wild to gain elevated SYSTEM privileges. That's the highest level of access on a Windows machine. An attacker with SYSTEM privileges can disable security tools, exfiltrate data, install ransomware, or pivot deeper into your network — all without triggering a standard alert.
What made this worse: within hours of Microsoft patching the first vulnerability, a disgruntled researcher dropped a proof-of-concept (PoC) exploit for a second Defender flaw. Two vulnerabilities still have no patch available. That means even organizations with aggressive update schedules are currently running exposed endpoints.
Defender Can Be Neutralized From the Inside
Here's the part that doesn't get enough attention: attackers aren't just exploiting Defender — they're engineering payloads specifically designed to blind it.
Recent reporting from Security News highlights how a previously "harmless" global adware campaign has been retooled into what researchers are calling an AV Killer. The malware uses scheduled tasks to exclude itself from Windows Defender detection — essentially teaching the tool to look the other way while the payload operates freely. This isn't a sophisticated nation-state technique. It's being deployed at scale against ordinary endpoints.
If your endpoint security can be told to ignore a threat by the threat itself, you don't have endpoint security. You have a checkbox.
The Patch Window Problem Is Getting Worse
Even if you're diligent about patching, the math isn't working in your favor right now.
According to SANS ISC, the daily volume of CVE disclosures has reached a level that genuinely overwhelms security teams. Prioritizing which vulnerabilities to patch first — especially across a mixed environment of workstations, servers, and cloud services — requires tooling and expertise that most small businesses simply don't have in-house.
Making that harder: The Hacker News reports that NIST has scaled back CVE enrichment following a 263% surge in vulnerability submissions. That means the authoritative guidance small businesses and MSPs have historically relied on to understand which CVEs are critical is now less complete. As we covered in our breakdown of NIST and MITRE cutbacks and what they mean for small business security, this isn't a temporary gap — it reflects a structural shift in how vulnerability intelligence gets distributed.
When NIST pulls back and SANS is flagging CVE flood conditions simultaneously, the window between "vulnerability disclosed" and "your systems patched" gets longer. For an actively exploited zero-day, that window is measured in hours — not weeks.
Windows Defender Alone Is No Longer a Safe Default
Defender has improved substantially over the past several years. For basic threat prevention on a well-managed, fully patched system, it performs reasonably well. But "well-managed" and "fully patched" are doing a lot of heavy lifting in that sentence.
The current situation exposes the core limitation: Defender is both the target and the defense. When attackers are specifically engineering exploits to elevate privileges through Defender or neutralize it from within, a single-layer strategy fails at the exact moment you need it most.
This is what layered endpoint security actually means in practice — not marketing language, but a concrete architecture where if one control fails, another catches the gap. That might include:
- EDR (Endpoint Detection and Response) tools that monitor behavior rather than just signatures
- Application allowlisting to prevent unauthorized executables from running
- Privileged access controls that limit what SYSTEM-level compromises can actually reach — a topic we've covered in depth in our guide to preventing employee privilege escalation and access control
- Continuous vulnerability scanning to identify unpatched exposure before attackers do
What Small Businesses Should Do Right Now
You don't need a Fortune 500 security budget to respond intelligently. You need a prioritized checklist.
1. Verify your Windows Update status today. Don't assume automatic updates ran. Check Windows Update history on critical workstations and confirm the April 2026 Defender patches applied. If you're managing multiple endpoints, this needs to be a centralized check — not a manual walk around the office.
2. Audit scheduled tasks on endpoints. The adware-turned-AV-killer campaign specifically uses scheduled tasks to persist and evade Defender. A quick audit of scheduled tasks on your endpoints can surface unexpected entries that don't belong.
3. Treat the two unpatched CVEs as active risk. For the two Defender zero-days still without a patch, apply compensating controls now. That means reviewing who has local admin rights, enabling audit logging for privilege escalation events, and considering temporary network segmentation for high-value systems.
4. Don't wait for NIST enrichment. With NIST scaling back CVE guidance, you need alternative sources for vulnerability prioritization. SANS ISC, Huntress advisories, and EPSS scoring are filling some of that gap — but you need to be subscribed and paying attention.
5. Run a vulnerability scan. You can't protect what you can't see. Knowing your actual exposure across all endpoints — not just the ones you think are at risk — is the starting point for every other decision.
For government contractors, this isn't optional. CMMC Level 1 requires basic endpoint protection and patch management as foundational practices. Running unpatched endpoints with known actively exploited vulnerabilities is a direct compliance gap. Our CMMC Level 1 compliance guide for small businesses walks through exactly what's required and where most small contractors fall short.
The Honest Answer to "Is Defender Enough?"
For a small business with no sensitive data, no compliance obligations, and a fully patched environment? Defender is a reasonable baseline.
For everyone else — especially government contractors, businesses handling customer financial or health data, or any organization that can't absorb a multi-day outage — Defender alone is not enough. It never was designed to be your only line of defense, and the current zero-day situation makes that gap impossible to ignore.
Layered security doesn't have to mean expensive. It means knowing what you have, knowing what's exposed, and having visibility before an attacker does.
Take Action: Don't Wait for the Next Patch Tuesday
The two unpatched Defender zero-days won't wait for your next scheduled maintenance window. Attackers are actively exploiting these vulnerabilities right now, and the gap between disclosure and exploitation is measured in hours.
Proactive scanning catches the exposures attackers are already looking for — before they find them on your systems.
Oscar Six Security's Radar gives small businesses and MSPs continuous vulnerability visibility for $99 per scan. No enterprise contract. No six-figure retainer. Just clear, actionable data on where you're exposed and what to fix first.
Focus Forward. We've Got Your Six.