RedSun Exploit Hits Microsoft Defender Zero-Day, Grants SYSTEM Access

A newly released proof-of-concept exploit called RedSun is raising serious concerns around Microsoft Defender security. The exploit allows attackers to gain full SYSTEM-level access even on fully updated Windows systems.

Security researcher Chaotic Eclipse published the PoC, demonstrating how the vulnerability can be abused for local privilege escalation. The flaw affects Windows 10, Windows 11, and Windows Server 2019 and newer, meaning a large number of systems remain exposed despite having the latest April 2026 updates installed.

Exploit bypasses Defender protections using file rewrite behavior

RedSun takes advantage of how Microsoft Defender handles flagged malicious files. Instead of permanently blocking or isolating them, Defender can restore files back to their original location under certain conditions, which opens the door for abuse.

The exploit chain combines multiple techniques, including the use of the Cloud Files API, a Volume Shadow Copy race condition, and directory junctions or reparse points. By chaining these elements together, the attacker redirects a file overwrite operation into a protected system path.

As a result, a malicious executable gets written into a system directory and executes with SYSTEM privileges, effectively giving full control over the machine.

Confirmed working and difficult to detect

Security expert Will Dormann independently confirmed that the exploit works as described, successfully demonstrating full privilege escalation in real-world conditions. This validation increases the severity of the issue, as it confirms that exploitation does not rely on theoretical assumptions.

Some antivirus solutions can detect the exploit, but only because it includes the EICAR test string, a standard marker used to trigger AV detection. Attackers can easily bypass this by encrypting or modifying the string, making detection unreliable in real scenarios.

RedSun remains unpatched as concerns grow

Microsoft has not yet released a patch for the RedSun vulnerability, leaving systems at risk even if they are fully updated. This situation highlights ongoing concerns about Defender’s internal behavior and how certain design decisions can be leveraged for privilege escalation.

This exploit follows the recent release of BlueHammer, another Defender-related vulnerability. Together with other emerging threats, there are now three major exploits circulating in the wild, with RedSun being one of the most critical due to its effectiveness on fully patched systems.

Via BleepingComputer