Ethical Hacking News
A new Microsoft Defender zero-day vulnerability has been discovered, allowing attackers to gain SYSTEM privileges on fully patched systems. Read more about the RedSun exploit and how to protect yourself.
Microsoft has released a new proof-of-concept (PoC) exploit for a zero-day vulnerability in Windows Defender called "RedSun."The RedSun exploit allows an attacker to gain SYSTEM privileges on fully patched systems running Windows 10, 11, and Server.The vulnerability is a local privilege escalation (LPE) flaw that takes advantage of the Cloud Files API.MICROSOFT has acknowledged the issue and is actively working on a fix.The exploit only affects systems running Windows Defender and is not a widespread issue.
Microsoft has recently released a new proof-of-concept (PoC) exploit for a zero-day vulnerability in its Windows Defender software, dubbed "RedSun." This vulnerability allows an attacker to gain SYSTEM privileges on fully patched systems running Windows 10, Windows 11, and Windows Server.
The RedSun exploit is a local privilege escalation (LPE) flaw that takes advantage of the behavior of the Cloud Files API. According to Chaotic Eclipse, the researcher behind the PoC, when Windows Defender realizes that a malicious file has been tagged by Microsoft's cloud-based security features, it will often rewrite the file at its original location. This behavior is exploited by the RedSun exploit to overwrite system files and gain administrative privileges.
The vulnerability was first discovered by Chaotic Eclipse, who published the PoC exploit as a protest against how Microsoft works with cybersecurity researchers. According to Eclipse, he had previously disclosed vulnerabilities to the Microsoft Security Response Center (MSRC), only to have his life "mopped the floor with" in response. The researcher alleges that Microsoft's actions were intended to discourage further vulnerability disclosure.
However, it appears that Microsoft has now acknowledged the issue and is actively working on a fix. According to Will Dormann, principal vulnerability analyst at Tharros, the exploit works by using the Cloud Files API to write EICAR (antivirus test file) to a file, which then triggers an oplock volume shadow copy race. The exploit further uses a directory junction/reparse point to redirect the rewritten file to C:\Windows\system32\TieringEngineService.exe, allowing the RedSun executable to run as SYSTEM.
The RedSun exploit has already gained notoriety among cybersecurity researchers and security professionals. However, it's worth noting that this vulnerability only affects systems running Windows Defender and is not a widespread issue like some other zero-day vulnerabilities.
In related news, Microsoft released its April 2026 Patch Tuesday update, which fixes a total of 167 flaws, including two zero-days. Additionally, Adobe has rolled out an emergency fix for Acrobat Reader, addressing a previously disclosed zero-day flaw.
As always, it's essential to keep your systems up to date with the latest security patches to protect against such vulnerabilities. If you're running Windows Defender and haven't already done so, consider patching immediately to mitigate the risk of this RedSun exploit.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Microsoft-Defender-Zero-Day-Exploit-A-Threat-to-System-Privileges-ehn.shtml
https://www.bleepingcomputer.com/news/microsoft/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges/
https://cyberpress.org/releases-windows-defender-0-day/
https://www.darkreading.com/vulnerabilities-threats/bluehammer-windows-exploit-microsoft-bug-disclosure-issues
https://breach-hq.com/threat-actors
https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
Published: Thu Apr 16 16:42:23 2026 by llama3.2 3B Q4_K_M
