• Home
  • cyber
  • Microsoft: Microsoft Defender 0-Day Vulnerability “RedSun” Enables Full SYSTEM Access
cyber Vulnerability

Microsoft: Microsoft Defender 0-Day Vulnerability “RedSun” Enables Full SYSTEM Access

Apr 17, 2026 2 min read
Microsoft: Microsoft Defender 0-Day Vulnerability “RedSun” Enables Full SYSTEM Access

Critical Zero-Day "RedSun" Exploit Grants SYSTEM-Level Access in Microsoft Defender

A newly disclosed zero-day vulnerability, dubbed RedSun, enables unprivileged users to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems. The flaw remains unpatched as of April 2026.

Discovered by security researcher Chaotic Eclipse (also known as Nightmare-Eclipse), RedSun is the second zero-day exploit targeting Microsoft Defender in two weeks. The first, BlueHammer (CVE-2026-33825), was patched in Microsoft’s April 2026 Patch Tuesday updates. Unlike its predecessor, RedSun exploits a distinct attack vector, suggesting deeper architectural weaknesses in Defender.

The exploit leverages a logic flaw in Defender’s cloud file handling mechanism. When Defender detects a malicious file with a cloud tag, it rewrites the file to its original location instead of quarantining it. RedSun manipulates this behavior by:

  1. Writing an EICAR test file via the Windows Cloud Files API (cldapi.dll).
  2. Using an opportunistic lock (oplock) to pause Defender’s file restoration.
  3. Redirecting the write path to C:\Windows\System32 via NTFS directory junctions and reparse points.
  4. Overwriting a critical system binary (e.g., TieringEngineService.exe) with SYSTEM privileges.
  5. Executing the compromised binary to gain full SYSTEM-level access.

Independent researcher Will Dormann of Tharros confirmed the exploit’s reliability on fully patched systems, including Windows 10, Windows 11, and Windows Server 2019 and later. The vulnerability, tracked as CVE-2026-33825 with a CVSS score of 7.8 (High), is classified under CWE: Insufficient Granularity of Access Control and aligns with MITRE ATT&CK’s Privilege Escalation (TA0004).

While the full proof-of-concept (PoC) code has not been publicly released, the exploit methodology is documented on GitHub. Microsoft has yet to issue a patch, leaving systems with Defender enabled and cldapi.dll present vulnerable. Security teams are monitoring for anomalous Defender file write activity, particularly oplock-assisted redirections to C:\Windows\System32.

Source: https://cybersecuritynews.com/defender-0-day-redsun/

Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center

"id": "MIC1776407067",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Users of Windows 10, Windows '
                                              '11, and Windows Server 2019 and '
                                              'later with Microsoft Defender '
                                              'enabled',
                        'industry': 'Software',
                        'location': 'Global',
                        'name': 'Microsoft',
                        'size': 'Enterprise',
                        'type': 'Technology Vendor'}],
 'attack_vector': "Local Privilege Escalation via Defender's cloud file "
                  'handling mechanism',
 'date_publicly_disclosed': '2026-04',
 'description': 'A newly disclosed zero-day vulnerability, dubbed *RedSun*, '
                'enables unprivileged users to escalate privileges to full '
                'SYSTEM-level access on fully patched Windows 10, Windows 11, '
                'and Windows Server 2019 and later systems. The flaw remains '
                'unpatched as of April 2026. The exploit leverages a logic '
                'flaw in Defender’s cloud file handling mechanism, allowing '
                'attackers to overwrite critical system binaries with SYSTEM '
                'privileges.',
 'impact': {'operational_impact': 'Full SYSTEM-level access compromise',
            'systems_affected': 'Windows 10, Windows 11, Windows Server 2019 '
                                'and later'},
 'investigation_status': 'Ongoing',
 'post_incident_analysis': {'root_causes': 'Logic flaw in Defender’s cloud '
                                           'file handling mechanism; '
                                           'insufficient granularity of access '
                                           'control (CWE)'},
 'recommendations': 'Monitor for anomalous Defender file write activity; apply '
                    'patches once available; consider temporary mitigation '
                    'strategies for high-risk environments.',
 'references': [{'source': 'GitHub (Exploit Methodology Documentation)'},
                {'source': 'Tharros (Will Dormann)'}],
 'response': {'containment_measures': 'Monitoring for anomalous Defender file '
                                      'write activity, particularly '
                                      'oplock-assisted redirections to '
                                      'C:\\Windows\\System32',
              'enhanced_monitoring': 'Yes'},
 'title': "Critical Zero-Day 'RedSun' Exploit Grants SYSTEM-Level Access in "
          'Microsoft Defender',
 'type': 'Zero-Day Vulnerability',
 'vulnerability_exploited': 'CVE-2026-33825 (CVSS 7.8, High)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.