CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft Defender "RedSun" local privilege escalation zero-day proof-of-concept disclosed

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A proof-of-concept exploit for a previously undisclosed Microsoft Defender local privilege escalation (LPE) zero-day tracked as "RedSun" has been published, enabling SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server systems with Defender enabled. The vulnerability leverages Defender’s cloud file handling behavior to overwrite critical system binaries via the Cloud Files API, exploiting a race condition in volume shadow copy operations and junction points to redirect file rewrites to an attacker-controlled executable in a protected system directory. The disclosure follows a second Microsoft Defender zero-day exploit ("BlueHammer", CVE-2026-33825) published by the same researcher within two weeks, both intended as protest against Microsoft’s handling of vulnerability disclosures with the MSRC.

Timeline

  1. 16.04.2026 23:19 1 articles · 2h ago

    RedSun Microsoft Defender zero-day PoC enables SYSTEM privilege escalation on fully patched Windows

    Proof-of-concept exploit for a Microsoft Defender local privilege escalation zero-day named RedSun has been published. The attack leverages Defender’s cloud file tagging logic to trigger file rewrites, then exploits a volume shadow copy race condition and directory junction to redirect the rewrite to C:\Windows\system32\TieringEngineService.exe. Execution via the Cloud Files Infrastructure grants SYSTEM privileges on Windows 10, 11, and Server 2019+ systems with Defender enabled, even after the latest April Patch Tuesday updates.

    Show sources
    Open in new tab

Information Snippets

  • The RedSun exploit targets a local privilege escalation flaw in Microsoft Defender on Windows 10, Windows 11, and Windows Server 2019 or later, even when fully patched via April Patch Tuesday updates.

    First reported: 16.04.2026 23:19
    1 source, 1 article
    Show sources

  • The exploit abuses Defender’s cloud file tagging and file rewrite behavior via the Cloud Files API, using EICAR test file placement, opportunistic lock (oplock) timing, and directory junctions to redirect file overwrites to C:\Windows\system32\TieringEngineService.exe.

    First reported: 16.04.2026 23:19
    1 source, 1 article
    Show sources

  • Once the attacker-controlled executable is written to a protected system path via this mechanism, the Cloud Files Infrastructure executes it as SYSTEM, achieving full privilege escalation.

    First reported: 16.04.2026 23:19
    1 source, 1 article
    Show sources

  • The exploit PoC was publicly released by researcher "Chaotic Eclipse", who also disclosed the related BlueHammer (CVE-2026-33825) LPE zero-day last week.

    First reported: 16.04.2026 23:19
    1 source, 1 article
    Show sources

  • Will Dormann, principal vulnerability analyst at Tharros, independently confirmed the RedSun exploit achieves SYSTEM privileges on fully patched systems and provided technical details of the attack chain.

    First reported: 16.04.2026 23:19
    1 source, 1 article
    Show sources

  • VirusTotal initially flagged the PoC due to embedded EICAR strings, but detections were reduced after the researcher encrypted the EICAR payload within the executable.

    First reported: 16.04.2026 23:19
    1 source, 1 article
    Show sources

  • The researcher cited poor experiences with Microsoft Security Response Center (MSRC) handling of vulnerability disclosures as motivation for publishing the PoCs, alleging retaliatory behavior and lack of support.

    First reported: 16.04.2026 23:19
    1 source, 1 article
    Show sources