### RedSun: A New Defender Zero-Day The exploit, dubbed "RedSun," affects **Windows 10**, **Windows 11**, and **Windows Server** systems, even with the latest April Patch Tuesday updates installed. It leverages a flaw where **Windows Defender**, upon identifying a file with a cloud tag, rewrites the file to its original location, regardless of its potential maliciousness. "When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to it's original location," [explains the researcher](https://github.com/Nightmare-Eclipse/RedSun). The proof-of-concept (PoC) abuses this behavior to overwrite system files, ultimately leading to administrative privileges. ### Exploit Confirmed Will Dormann, principal vulnerability analyst at Tharros, has verified the exploit's functionality. It successfully grants SYSTEM privileges on fully patched **Windows 10**, **Windows 11**, and **Windows Server 2019** and later systems. "This Exploit uses the 'Cloud Files API', writes EICAR to a file using it, uses an oplock to win a volume shadow copy race, and uses a directory junction/reparse point to redirect the file rewrite (with new contents) to C:\Windows\system32\TieringEngineService.exe," Dormann explained in a [thread on Mastodon](https://infosec.exchange/@wdormann/116412019416916182). "At this point, the Cloud Files Infrastructure runs the attacker-planted TieringEngineService.exe (which is the RedSun.exe exploit itself) as SYSTEM. Game over."  *RedSun exploit granting SYSTEM privileges in a fully-patched Windows 11. Source: Dormann* Some antivirus vendors on **VirusTotal** are detecting the exploit because the executable contains an embedded EICAR (antivirus test file). However, the researcher reduced detections by encrypting the EICAR string within the executable. A more detailed [technical writeup](https://nefariousplan.com/posts/redsun-windows-defender-system-write/) about this vulnerability was shared by security researcher Kevlar. ### Echoes of BlueHammer This release follows the researcher's previous publication of an exploit for another **Microsoft Defender** LPE zero-day, dubbed "BlueHammer," now tracked as **CVE-2026-33825**. **Microsoft** addressed this flaw in the recent Patch Tuesday updates. ### Researcher's Protest The researcher states that the release of these zero-day PoCs is a form of protest against **Microsoft**'s handling of cybersecurity researchers and vulnerability disclosures to the **Microsoft Security Response Center (MSRC)**. "Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did and I'm not sure if I was the only who had this horride experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything," [alleged the researcher](https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html). ### Microsoft's Response When contacted about these alleged issues, **Microsoft** provided the following statement: "Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible," a **Microsoft** spokesperson told BleepingComputer. "We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."