Cybersecurity

Microsoft Defender "RedSun" Zero-Day PoC Grants SYSTEM Privileges

April 16, 2026

A newly published proof-of-concept exploit called "RedSun" weaponizes Microsoft Defender's own file restoration logic to grant attackers the highest level of system access on fully patched Windows machines. Every organization running Windows 10, Windows 11, or Windows Server with Defender enabled should act immediately.

A security researcher using the alias "Chaotic Eclipse" has released a proof-of-concept exploit called "RedSun" that turns Microsoft Defender against the systems it is supposed to protect.

The exploit escalates privileges from a standard, low-privileged user account to NT AUTHORITY\SYSTEM, which is the highest privilege level available on a Windows machine. It works reliably on fully patched systems as of April 2026.

A Pattern of Releases

This disclosure is part of a troubling pattern. Within a 13-day window in April 2026, the same researcher released three separate exploits targeting Microsoft Defender:

- BlueHammer

Tied to CVE-2026-33825, addressed in the April 2026 Patch Tuesday release.

- UnDefend

Designed to quietly degrade Defender's update mechanism over time.

- RedSun

The third and most aggressive of the three, and currently unpatched.

Independent researcher Will Dormann confirmed that RedSun works 100 percent reliably against Windows 11 and Windows Server with April 2026 updates applied, as well as Windows 10, as long as Microsoft Defender is enabled.

How RedSun Works

RedSun abuses a logic flaw in how Microsoft Defender handles files marked with a "cloud" attribute using the Windows Cloud Files API. When Defender encounters a file tagged this way, the antivirus engine attempts to restore the file to its original location rather than simply quarantining it. RedSun hijacks that process.

The attack chain works as follows:

• 1. The attacker places a crafted file in a location where Defender will detect it.
• 2. Before Defender can fully act, the attacker replaces the file with a cloud placeholder.
• 3. As Defender initiates its rollback operation, the attacker uses NTFS junctions and opportunistic locks to pause the file operation and redirect the target write path to a critical system directory, such as C:\Windows\System32.
• 4. When the lock is released and Defender resumes, it follows the redirected path and writes the file using its own SYSTEM-level privileges.
• 5. The attacker can use this to overwrite a legitimate Windows service binary with a malicious payload.

The next time that service runs, the attacker achieves full system control without ever needing elevated privileges, administrative rights, or user interaction. In effect, the exploit turns Microsoft's own security tooling into a delivery mechanism for malicious payloads.

CVE and Disclosure Context

The original BlueHammer vulnerability is tracked as CVE-2026-33825, rated 7.8 out of 10 and classified as "Important." RedSun represents a separate and currently unpatched attack path. The vulnerability class is insufficient granularity of access control, which allowed Defender's privileged file operations to be redirected by a low-privileged attacker.

Chaotic Eclipse stated that initial disclosure attempts through the Microsoft Security Response Center were not handled to their satisfaction, which prompted the public release. Microsoft credited separate researchers, Zen Dodd and Yuanpei XU, for the disclosure of CVE-2026-33825, which was addressed in the April Patch Tuesday update cycle.

Patching and Immediate Mitigation Steps

For the BlueHammer vulnerability (CVE-2026-33825), organizations should verify that Microsoft Defender Antimalware Platform version 4.18.26050.3011 or higher is installed. Platform updates are distributed through Windows Update and typically happen automatically. Administrators should confirm the patched version is reflected across all endpoints.

For the unpatched RedSun path, Microsoft has not yet issued a formal statement or emergency patch. In the interim, administrators can disable cloud-delivered protection using PowerShell:

Set-MpPreference -DisableCloudProtection $true

This is not recommended as a long-term measure. It weakens overall Defender coverage and should be re-enabled as soon as a patch is available.

Additional mitigations include:

• - Enforcing least-privilege access controls so standard users cannot write to or execute from user-writable directories near system paths.
• - Enabling behavioral monitoring and endpoint detection and response tools to catch abnormal file write activity by Defender processes.
• - Segmenting networks to limit lateral movement if a workstation is compromised.

What This Means for Your Organization

This exploit cluster highlights the risk of relying on a single endpoint protection solution without supporting controls. Ransomware operators and advanced threat actors are known to integrate public local privilege escalation code within days of release. A reliable, weaponized proof-of-concept means the window to patch or mitigate is very short.

Because RedSun requires local access to execute, the primary concern is post-initial-access scenarios. An attacker who gains a foothold through phishing, a compromised credential, or a vulnerable application can use RedSun to immediately escalate privileges and take full control of the machine.

Organizations should take these steps now:

• - Monitor the Microsoft Security Response Center for updates on the RedSun path.
• - Apply the April 2026 Patch Tuesday updates if not already done.
• - Validate Defender platform versions across all endpoints.
• - Review user privilege assignments to reduce the impact of any compromise.

Cyber One Solutions monitors emerging threats and vulnerability disclosures continuously. If your organization needs help assessing exposure, reviewing endpoint configurations, or setting up compensating controls, contact our team today.