{"id":234139,"date":"2026-04-16T16:19:00","date_gmt":"2026-04-16T20:19:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/16\/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges\/"},"modified":"2026-04-21T20:45:19","modified_gmt":"2026-04-22T00:45:19","slug":"new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/16\/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges\/","title":{"rendered":"New Microsoft Defender \u201cRedSun\u201d zero-day PoC grants SYSTEM privileges"},"content":{"rendered":"

New Microsoft Defender \u201cRedSun\u201d zero-day PoC grants SYSTEM privileges<\/a><\/p>\n

https:\/\/www.bleepingcomputer.com\/news\/microsoft\/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges\/<\/a><\/p>\n

Publish Date: 2026-04-16 16:19:00<\/a><\/p>\n

Source Domain: www.bleepingcomputer.com<\/a><\/p>\n

\n

A researcher known as “Chaotic Eclipse” has published a proof-of-concept exploit for a second Microsoft Defender zero-day, dubbed “RedSun,” in the past two weeks, protesting how the company works with cybersecurity researchers.<\/p>\n

This exploit is for a local privilege escalation (LPE) flaw that grants SYSTEM privileges in Windows 10, Windows 11, and Windows Server on the latest April Patch Tuesday patches, when Windows Defender is enabled.<\/p>\n

“When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that’s supposed to protect decides that it is a good idea to just rewrite the file it found again to it’s original location,” explains the researcher.<\/p>\n

\"image\"<\/p>\n

“The PoC abuses this behaviour to overwrite system files and gain administrative privileges.”<\/p>\n

Will Dormann, principal vulnerability analyst at Tharros, has confirmed to BleepingComputer that the exploit for the new Microsoft Defender RedSun zero-day works and grants SYSTEM privileges on fully patched Windows 10, Windows 11, and Windows Server 2019 and later.<\/p>\n

“This Exploit uses the ‘Cloud Files API’, writes EICAR to a file using it, uses an oplock to win a volume shadow copy race, and uses a directory junction\/reparse point to redirect the file rewrite (with new contents) to C:Windowssystem32TieringEngineService.exe,” Dormann wrote in a thread on Mastodon.<\/p>\n

“At this point, the Cloud Files Infrastructure runs the attacker-planted TieringEngineService.exe (which is the RedSun.exe exploit itself) as SYSTEM. Game over.”<\/p>\n

\"\"RedSun exploit granting SYSTEM privileges in a fully-patched Windows 11<\/strong>
Source: Dormann
\n\u00a0<\/p>\n

Dormann says that some antivirus vendors on VirusTotal are detecting the exploit [VirusTotal] because the exploit executable contains an embedded EIRCAR (antivirus test file). However, he reduced detections [VirusTotal] by encrypting the EICAR string within the executable.<\/p>\n

A more detailed technical writeup about this…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

New Microsoft Defender \u201cRedSun\u201d zero-day PoC grants SYSTEM privileges https:\/\/www.bleepingcomputer.com\/news\/microsoft\/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges\/ Publish Date: 2026-04-16 16:19:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":234140,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2023\/10\/11\/Microsoft-Defender_for_Endpoint.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,27],"class_list":["post-234139","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234139"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=234139"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234139\/revisions"}],"predecessor-version":[{"id":234141,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/234139\/revisions\/234141"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/234140"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=234139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=234139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=234139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}