Microsoft Defender RedSun LPE zero-day privilege-escalation flaw
Vulnerability
Summary
Hide ▲
Show ▼
A public RedSun proof-of-concept exposed a Microsoft Defender local privilege escalation zero-day that can reach SYSTEM on Windows 10, Windows 11, and Windows Server when Defender is enabled. The flaw affects systems on the latest April Patch Tuesday patches, making the exposure relevant even for fully updated hosts. The exploit publication matters because it shows a practical path to full administrative control rather than a theoretical weakness.
Related Happenings
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation Wave
H score41
First: 30.06.2026 11:53
Last: 30.06.2026 11:53
Sources 1
About this happening:
CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation WaveAbout this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
Vulnerability
H score32
First: 17.06.2026 11:32
Last: 17.06.2026 11:32
Sources 1
About this happening:
**Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
VulnerabilityAbout this happening: **Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
Vulnerability
H score39
First: 10.06.2026 02:11
Last: 10.06.2026 02:11
Sources 1
About this happening:
Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
VulnerabilityAbout this happening: Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Latest development: 10.06.2026 08:22
The anonymous security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, released a proof-of-concept (PoC) exploit for the Microsoft Defender zero-day RoguePlanet under a new GitHub account named MSNightmare. The race-condition exploit can yield a SYSTEM-level shell and arbitrary code execution when it succeeds, has been tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed, and currently does not work on Windows Server without redesign because standard users cannot mount an ISO image.
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
Vulnerability
H score39
First: 21.05.2026 10:49
Last: 21.05.2026 10:49
Sources 1
About this happening:
Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
VulnerabilityAbout this happening: Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
Windows cldflt.sys privilege escalation (CVE-2020-17103)
Vulnerability
H score28
First: 18.05.2026 01:30
Last: 18.05.2026 01:30
Sources 1
About this happening:
A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...
Windows cldflt.sys privilege escalation (CVE-2020-17103)
VulnerabilityAbout this happening: A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...
Timeline
-
17.04.2026 16:21 1 articles · 2mo ago
Huntress reports active RedSun exploitation in Microsoft Defender
Exploitation ObservedHuntress reports that threat actors are exploiting Microsoft Defender flaws, including RedSun, to gain elevated privileges on compromised systems, and says it isolated the affected organization to prevent further post-exploitation.
Show sources
- Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched — thehackernews.com — 17.04.2026 16:21
-
16.04.2026 23:19 1 articles · 2mo ago
Chaotic Eclipse publishes RedSun Microsoft Defender PoC
Initial DisclosureChaotic Eclipse publishes the RedSun proof-of-concept for a Microsoft Defender local privilege escalation zero-day that grants SYSTEM on Windows 10, Windows 11, and Windows Server when Windows Defender is enabled on the latest April Patch Tuesday patches. Will Dormann confirms the exploit works on fully patched Windows 10, Windows 11, and Windows Server 2019 and later, and notes that it uses the Cloud Files API, EICAR, an oplock, a volume shadow copy race, and a directory junction/reparse point to redirect a rewrite into C:\Windows\system32\TieringEngineService.exe so attacker-controlled code runs as SYSTEM.
Show sources
- New Microsoft Defender “RedSun” zero-day PoC grants SYSTEM privileges — www.bleepingcomputer.com — 16.04.2026 23:19