Microsoft Defender RedSun LPE zero-day privilege-escalation flaw
Vulnerability
Summary
Hide ▲
Show ▼
A public RedSun proof-of-concept exposed a Microsoft Defender local privilege escalation zero-day that can reach SYSTEM on Windows 10, Windows 11, and Windows Server when Defender is enabled. The flaw affects systems on the latest April Patch Tuesday patches, making the exposure relevant even for fully updated hosts. The exploit publication matters because it shows a practical path to full administrative control rather than a theoretical weakness.
Related Happenings
Windows cldflt.sys privilege escalation (CVE-2020-17103)
Vulnerability
First: 18.05.2026 01:30
Last: 18.05.2026 01:30
Sources 1
About this happening:
A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...
Windows cldflt.sys privilege escalation (CVE-2020-17103)
VulnerabilityAbout this happening: A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...
Azure Backup for AKS privilege escalation flaw
Vulnerability
First: 16.05.2026 23:55
Last: 16.05.2026 23:55
Sources 1
About this happening:
A **critical Azure Backup for AKS** privilege-escalation flaw was independently validated, exposing Kubernetes clusters to **cluster-admin** takeover from the low-privileged **Bac...
Azure Backup for AKS privilege escalation flaw
VulnerabilityAbout this happening: A **critical Azure Backup for AKS** privilege-escalation flaw was independently validated, exposing Kubernetes clusters to **cluster-admin** takeover from the low-privileged **Bac...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/Service
First: 15.05.2026 17:49
Last: 15.05.2026 17:49
Sources 1
About this happening:
**Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/ServiceAbout this happening: **Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Windows 11 BitLocker bypass YellowKey security flaw
Vulnerability
First: 14.05.2026 10:27
Last: 14.05.2026 10:27
Sources 1
About this happening:
**YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...
Windows 11 BitLocker bypass YellowKey security flaw
VulnerabilityAbout this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...
Latest development: 20.05.2026 10:31
Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.
Microsoft MDASH enters limited private preview for AI-driven vulnerability discovery at scale
Security Tool/Service
First: 13.05.2026 16:46
Last: 13.05.2026 16:46
Sources 1
About this happening:
Microsoft's **MDASH** has entered **limited private preview**, adding a new **AI-driven vulnerability discovery** service that can validate and prove exploitable defects at scale....
Microsoft MDASH enters limited private preview for AI-driven vulnerability discovery at scale
Security Tool/ServiceAbout this happening: Microsoft's **MDASH** has entered **limited private preview**, adding a new **AI-driven vulnerability discovery** service that can validate and prove exploitable defects at scale....
Timeline
-
17.04.2026 16:21 1 articles · 1mo ago
Huntress reports active RedSun exploitation in Microsoft Defender
Exploitation ObservedHuntress reports that threat actors are exploiting Microsoft Defender flaws, including RedSun, to gain elevated privileges on compromised systems, and says it isolated the affected organization to prevent further post-exploitation.
Show sources
- Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched — thehackernews.com — 17.04.2026 16:21
-
16.04.2026 23:19 1 articles · 1mo ago
Chaotic Eclipse publishes RedSun Microsoft Defender PoC
Initial DisclosureChaotic Eclipse publishes the RedSun proof-of-concept for a Microsoft Defender local privilege escalation zero-day that grants SYSTEM on Windows 10, Windows 11, and Windows Server when Windows Defender is enabled on the latest April Patch Tuesday patches. Will Dormann confirms the exploit works on fully patched Windows 10, Windows 11, and Windows Server 2019 and later, and notes that it uses the Cloud Files API, EICAR, an oplock, a volume shadow copy race, and a directory junction/reparse point to redirect a rewrite into C:\Windows\system32\TieringEngineService.exe so attacker-controlled code runs as SYSTEM.
Show sources
- New Microsoft Defender “RedSun” zero-day PoC grants SYSTEM privileges — www.bleepingcomputer.com — 16.04.2026 23:19