Cybersecurity
Microsoft Defender "RedSun" Zero-Day PoC Grants SYSTEM Privileges
A newly published proof-of-concept exploit called "RedSun" weaponizes Microsoft Defender's own file restoration logic to grant attackers the highest level of system access on fully patched Windows machines. Every organization running Windows 10, Windows 11, or Windows Server with Defender enabled should act immediately.
A security researcher using the alias "Chaotic Eclipse" has released a new proof-of-concept (PoC) exploit called "RedSun" that turns Microsoft Defender against the very systems it is supposed to protect.
The exploit escalates privileges from a standard, low-privileged user account all the way to NT AUTHORITY\\SYSTEM, the highest privilege level available on a Windows machine, and it works reliably on fully patched systems as of April 2026.
This disclosure is part of a troubling pattern. Within a 13-day window in April 2026, the same researcher dropped three separate exploits targeting Microsoft Defender. The first, "BlueHammer," was tied to CVE-2026-33825 and addressed in the April 2026 Patch Tuesday release. The second, "UnDefend," was designed to quietly degrade Defender's update mechanism over time.
RedSun is the third and most aggressive of the three, and it currently has no patch.
The security community took notice quickly. Independent researcher Will Dormann confirmed that the exploit works 100 percent reliably against Windows 11 and Windows Server with April 2026 updates applied, as well as Windows 10, as long as Microsoft Defender is enabled.
How RedSun Works
RedSun abuses a logic flaw in how Microsoft Defender handles files marked with a "cloud" attribute using the Windows Cloud Files API. When Defender encounters a file tagged this way, instead of simply quarantining or deleting it, the antivirus engine attempts to restore the file back to its original location. RedSun hijacks that process.
The attack chain works as follows. The attacker first places a crafted file, such as an EICAR test string, in a location where Defender will detect it. Before Defender can fully act, the attacker replaces the file with a cloud placeholder.
As Defender initiates its rollback operation, the attacker uses a combination of NTFS junctions and opportunistic locks to pause the file operation mid-execution and redirect the target write path to a critical system directory such as C:\\Windows\\System32.
When the lock is released and Defender resumes, it follows the redirected path and writes the file with its own SYSTEM-level privileges. The attacker can use this to overwrite a legitimate Windows service binary with a malicious payload. The next time that service runs, the attacker achieves SYSTEM-level code execution without ever requiring elevated privileges, administrative rights, or user interaction.
In effect, the exploit turns Microsoft's own security tooling into a delivery mechanism for malicious payloads.
CVE-2026-33825 and Disclosure Context
While the CVE assigned to the original BlueHammer vulnerability is CVE-2026-33825, rated 7.8 out of 10 and classified as "Important," RedSun represents a new and currently unpatched attack path. The vulnerability class is "insufficient granularity of access control," a weakness that allowed Defender's privileged file operations to be redirected by a low-privileged attacker.
Chaotic Eclipse stated that initial attempts to follow standard vulnerability disclosure procedures through the Microsoft Security Response Center were not handled to their satisfaction, prompting the public release. Microsoft credited separate researchers, Zen Dodd and Yuanpei XU, for the disclosure of CVE-2026-33825, which was addressed in the April Patch Tuesday update cycle.
Patching and Immediate Mitigation Steps
For the BlueHammer-related vulnerability (CVE-2026-33825), organizations should ensure Microsoft Defender Antimalware Platform version 4.18.26050.3011 or higher is installed. Platform updates are distributed through Windows Update and typically happen automatically. Administrators should verify that Defender's platform version reflects the patched release across all endpoints.
For the unpatched RedSun path, Microsoft has not yet issued a formal statement or emergency patch. In the interim, administrators can disable cloud-delivered protection using PowerShell with the command Set-MpPreference -DisableCloudProtection $true, but this is not recommended as a long-term measure because it weakens overall Defender coverage. This setting should be re-enabled as soon as a patch is available.
Additional mitigations include enforcing least-privilege access controls so that standard users cannot write to or execute from user-writable directories near system paths, enabling behavioral monitoring and endpoint detection and response tools to catch abnormal file write activity by Defender processes, and segmenting networks to limit lateral movement if a workstation is compromised.
What This Means for Your Organization
This exploit cluster shows a significant architectural risk in relying on a single endpoint protection solution without supporting controls. Ransomware operators and advanced persistent threat actors are known to integrate public local privilege escalation code within days of release. The availability of a reliable, weaponized PoC means that the window to patch or mitigate is extremely short.
Because RedSun requires local access to execute, the primary concern is post-initial-access scenarios. An attacker who gains a foothold through phishing, a compromised credential, or a vulnerable application can use RedSun to immediately escalate privileges and take full control of the machine before any detection tools respond.
Organizations should monitor the Microsoft Security Response Center for updates on the RedSun path, apply the April 2026 Patch Tuesday updates if not already done, validate Defender platform versions across all endpoints, and review user privilege assignments to reduce the blast radius of any compromise.
Cyber One Solutions monitors emerging threats and vulnerability disclosures continuously. If your organization needs help assessing exposure, reviewing endpoint configurations, or setting up compensating controls, contact our team today.