Microsoft Defender RedSun Zero-Day Exploit Grants SYSTEM Privileges

A security researcher known as "Chaotic Eclipse" (also identified as "Nightmare-Eclipse" on GitHub) has published a second proof-of-concept (PoC) exploit targeting Microsoft Defender within a two-week span, this time dubbed "RedSun." 

The exploit targets a local privilege escalation (LPE) flaw in Windows Defender's cloud file handling mechanism, affecting fully patched versions of Windows 10, Windows 11, and Windows Server 2019 and later, provided Windows Defender is enabled. 

The researcher states the disclosures are acts of protest against Microsoft's treatment of vulnerability researchers who report issues to the Microsoft Security Response Center (MSRC), alleging a deeply adversarial and retaliatory experience. Microsoft responded by reaffirming its commitment to coordinated vulnerability disclosure, calling it a widely adopted industry practice designed to protect customers and the research community alike.

The RedSun exploit targets a deeply ironic logic flaw: when Windows Defender detects a malicious file carrying a cloud tag, instead of quarantining or removing it, it inexplicably rewrites the file back to its original location. The PoC abuses this behavior by using the Windows Cloud Files API to write an EICAR test file, using an opportunistic lock (oplock) to win a volume shadow copy race condition, and then deploying a directory junction and reparse point to redirect Defender's file write operation to C:\Windows\System32\TieringEngineService.exe. 

When Defender's Cloud Files Infrastructure resumes, it executes the attacker-planted binary as SYSTEM, completing the privilege escalation. Will Dormann, principal vulnerability analyst at Tharros, independently confirmed the exploit works reliably, near 100% of the time against Windows 11, Windows Server 2019 and later, and Windows 10 with April 2026 patches applied.

The companion vulnerability exploited in the first disclosure, "BlueHammer," is tracked as CVE-2026-33825 (CVSS score 7.8) which is caused by a race condition in Windows Defender's file remediation logic that can be exploited to overwrite arbitrary files and achieve SYSTEM-level code execution from an unprivileged account. Microsoft credited other security researchers, Zen Dodd and Yuanpei XU, for disclosing that bug. 

RedSun represents an entirely separate attack vector and, at the time of writing, currently has no available patch. The patch for the BlueHammer flaw was released on April 14, 2026, requiring an update to Microsoft Defender Antimalware Platform version 4.18.26030.3011 or later.

Detection of the RedSun exploit is inconsistent. Some antivirus engines on VirusTotal flag the PoC executable due to the embedded EICAR test string, but when the EICAR string is encrypted within the binary, detections drop sharply. Microsoft Defender itself does not currently detect the exploit in either form. Security teams are advised to monitor for anomalous Defender file write activity, particularly involving cldapi.dll operations targeting C:\Windows\System32, and to implement endpoint detection rules to flag oplock-assisted file redirection behaviors until Microsoft issues a formal fix. Any Windows system with cldapi.dll present should be considered potentially affected.

Within a thirteen-day window in April 2026, multiple zero-day exploits targeting Windows Defender were disclosed: "BlueHammer," which enables local privilege escalation through Defender's file remediation logic; "UnDefend," which disrupts Defender's update mechanism to gradually weaken its protection; and "RedSun," which abuses Defender's handling of cloud-tagged files to overwrite system paths. Picus Security The original BleepingComputer report on RedSun can be found at: