The latest ThreatsDay Bulletin from The Hacker News catalogs a chaotic week in cybersecurity, but two entries stand out as more than isolated incidents: the release of RedSun, an unpatched Microsoft Defender privilege-escalation zero-day by researcher Chaotic Eclipse, and CISA’s addition of CVE-2009-0238—a 17-year-old remote code execution vulnerability in Microsoft Excel—to its Known Exploited Vulnerabilities catalog. While the bulletin treats these as separate bullet points in a busy news cycle, their simultaneous appearance reveals an underreported structural pattern: both modern security products and legacy productivity software suffer from extended vulnerability lifespans that adversaries deliberately target.

RedSun is particularly damaging because it weaponizes the very tool meant to protect Windows 11, Windows Server, and Windows 10 systems. As security researcher Will Dormann confirmed, the exploit reliably elevates from unprivileged user to SYSTEM on fully patched machines—so long as Defender is running. This is not irony; it is strategy. Nation-state and criminal actors have spent years developing EDR evasion toolkits precisely because bypassing or abusing defensive sensors provides both stealth and persistence. The original coverage missed this deeper context: Microsoft Defender has become a high-value target class. Similar bypass techniques have appeared in prior campaigns documented by Mandiant (M-Trends 2025 report) and in public frameworks such as Brute Ratel and Havoc, where disabling or hijacking Defender telemetry is a standard operating procedure.

The Excel vulnerability (CVE-2009-0238, CVSS 8.8) demonstrates the opposite end of the spectrum—extreme longevity. First patched in 2009, it allows full system compromise via a malformed object in a specially crafted spreadsheet. Its addition to CISA’s KEV catalog in 2026, with a remediation deadline of April 28 for federal agencies, proves the flaw remains under active exploitation. The bulletin underplays the significance: organizations continue to permit Excel files from external sources, especially in hybrid work environments and critical infrastructure sectors still running legacy Office versions. A 2025 CrowdStrike Global Threat Report noted that 62 percent of observed ransomware and APT intrusions involved Office document lures, many leveraging vulnerabilities several years old. Legacy code paths in file parsers are rarely scrutinized with the same rigor as new features, creating persistent seams.

Synthesizing these events with two additional sources clarifies the pattern. Microsoft’s own April 2026 Patch Tuesday notes acknowledged multiple Defender-related fixes, yet RedSun emerged almost immediately afterward, exposing gaps in the vendor’s disclosure and regression testing processes. Meanwhile, an ESET research paper on “Living off the Land” techniques (2025) highlights how adversaries chain legacy Office exploits for initial access with modern EDR tampering for persistence—exactly the combination surfaced this week.

What the original coverage got wrong was treating these as routine “vulnerability news.” They are evidence of systemic failure in vulnerability lifecycle management. Attackers do not simply chase the latest bugs; they maintain exploit portfolios spanning decades because enterprises cannot—or will not—retire legacy software at the same pace threats evolve. North Korean actor UNC1069, mentioned in the same bulletin for the Zerion wallet breach via AI-enhanced social engineering, exemplifies this calculated patience. These groups treat defensive tools as primary objectives and legacy applications as reliable entry points.

From a defense and intelligence perspective, the implication is clear: critical infrastructure and government networks running hybrid Microsoft estates face compounded risk. Geopolitical adversaries are optimizing for environments where security products can be turned against defenders and where “trusted” files like Excel documents remain vectors. Patch management alone is insufficient. Organizations must adopt continuous attack-surface validation, memory-based detection that survives EDR tampering, and aggressive legacy software decommissioning. The coexistence of zero-days in security products and ancient flaws in everyday tools is not an anomaly—it is the new normal of digital conflict.