New Microsoft Defender "RedSun" zero-day PoC grants SYSTEM privileges

NEW MICROSOFT DEFENDER “REDSUN” ZERO-DAY POC GRANTS SYSTEM PRIVILEGES

1. Overview

• A security researcher known by the alias Chaotic Eclipse published a proof-of-concept for a new zero-day in Microsoft Defender, dubbed RedSun.
• The PoC targets a local privilege escalation (LPE) flaw that grants SYSTEM privileges on Windows 10, Windows 11, and Windows Server when Defender is active, particularly on the latest Patch Tuesday updates.
• The exploitation centers on Defender’s handling of files with a cloud tag and involves overwriting system files to execute privileges at the highest level.

1. Context and Timeline

• RedSun is the second Microsoft Defender zero-day disclosed by Chaotic Eclipse within a short span, highlighting ongoing tensions between researchers and the Defender development/response process.
• A prior PoC from the same researcher, BlueHammer (tracked as CVE-2026-33825), was addressed by Microsoft as part of the monthly security updates.
• The researcher asserts the motivation behind releasing these PoCs is to protest how vulnerability disclosures are handled by Microsoft and the Security Response Center.

1. Technical Breakdown: How RedSun Works

• Local privilege escalation path: The exploit abuses Defender’s cloud-based file handling to overwrite a protected system binary.
• Core components involved:
• Cloud Files API: Used to write a malicious payload into a location Defender trusts for execution.
• EICAR evasion: The PoC embeds a test antivirus string (EICAR) inside the executable, which is later encrypted to evade some detections.
• Opportunistic locking (oplock) and volume shadow copy race: The technique leverages file locking semantics to create a race condition that allows the attacker to replace contents during a snapshot operation.
• Directory junction/reparse point: Redirects the write operation to a critical system path, enabling replacement of a legitimate service executable.
• Targeted file: C:Windowssystem32TieringEngineService.exe is replaced and then executed as the attack payload.
• Outcome: The Cloud Files Infrastructure ends up launching the attacker-placed TieringEngineService.exe with SYSTEM privileges, effectively compromising the host.

1. Affected Platforms and Scope

• Fully patched visibility: The attack is demonstrated on Windows 10, Windows 11, and Windows Server 2019 and later, provided Defender is enabled and the system is within the attack’s workflow.
• The technique does not rely on an unpatched OS patch alone; it exploits Defender’s internal file handling and the interaction with system services during write operations.

1. Detection and Evasion

• Detection chatter: Some antivirus vendors on VirusTotal flagged the exploit because of the embedded EICAR string; others did not due to encryption of the EICAR payload within the executable.
• Evasion methods: Encrypting the EICAR string within the binary reduces signature-based detections, complicating rapid identification of the exploit by automated systems.

1. Related Research: BlueHammer Context

• Chaotic Eclipse previously released BlueHammer, another Defender-related LPE PoC, which is now tracked as CVE-2026-33825 and fixed during the same month’s updates.
• The existence of multiple Defender zero-days underscores a pattern of vulnerabilities centered on Defender’s internal processes and cloud integration, prompting ongoing scrutiny of disclosure and patch cycles.

1. Disclosure, Reactions, and Official Stance

• The researcher framed the disclosures as a protest against Microsoft’s handling of vulnerability reports and MSRC coordination.
• Official responses from Microsoft emphasize a customer-focused commitment to investigating security issues and deploying updates promptly, while also endorsing coordinated vulnerability disclosure as a standard industry practice.
• The public dialogue around these PoCs illustrates the broader debate between researchers seeking rapid visibility and vendors balancing disclosure with risk containment.

1. Implications and Observations

• Privilege escalation risk: RedSun demonstrates how a defender’s ecosystem, even when widely deployed, can become a vector for escalating privileges if file handling and patch coordination intersect with privileged execution paths.
• Defense-in-depth considerations: Reliance on a single security technology is insufficient; layered controls, integrity monitoring, and robust patch management remain essential to reducing exposure to such LPE techniques.
• Vendor-research dynamics: The tension highlighted by public PoCs and disclosure timelines points to a persistent gap between discovery, verification, and remediation workflows in large software ecosystems.

1. Visual and Reference Notes (Conceptual)

• The exploit is described as a sequence where a compromised file is rewritten into a protected location via a cloud-based workflow, and the rewritten file is then executed by a service process at SYSTEM level.
• Illustrative imagery and diagrams in security write-ups typically map the flow from Cloud Files API usage, through oplocks and shadow copy operations, to the final service execution in system32.

1. Takeaways

• The existence of RedSun reinforces the importance of scrutinizing Defender’s internal file-handling routines and cloud integration, especially during the patch cycle when Defender behavior is actively being exercised by security tooling.
• Patch cadence and disclosure processes remain central to mitigating risk, with coordinated vulnerability disclosure serving as a critical mechanism for balancing customer protection and research advancement.
• Observations from related zero-days suggest an evolving landscape where attackers attempt to leverage legitimate defense workflows to elevate privileges, reminding defenders to monitor for anomalous file rewrite patterns and privilege changes within security software ecosystems.