RSS
← All articles
vulnerability
2026-04-16

Second Microsoft Defender zero-day PoC released - 'RedSun' grants SYSTEM privileges on fully-patched Windows including this week's April patches

Just days after Microsoft patched BlueHammer (CVE-2026-33825) in Tuesday's Patch Tuesday, the same researcher 'Chaotic Eclipse' (aka Nightmare-Eclipse) has released a second Microsoft Defender local privilege escalation zero-day called RedSun. The exploit works on fully-patched Windows 10, Windows 11, and Windows Server systems with Windows Defender enabled, even after installing this week's April updates. The flaw abuses Defender's cloud file rollback behavior: when Defender detects a file with a 'cloud tag' it tries to restore it to its original location without validating the target path. The exploit uses NTFS junctions and opportunistic locks to redirect the write to C:\Windows\System32, overwriting system files like TieringEngineService.exe to gain SYSTEM privileges. Huntress Labs is reporting all three recently-leaked Windows Defender zero-days (BlueHammer, RedSun, and UnDefend) are now being exploited in the wild. The researcher has threatened to drop more severe RCE exploits in protest of how Microsoft handled their disclosure process. No patch available for RedSun yet. Working PoC code is public on GitHub.

microsoft-defenderzero-daywindowsprivilege-escalationchaotic-eclipseredsunactively-exploitedunpatched
Check
Assume unprivileged-to-SYSTEM escalation is available to any attacker on your Windows endpoints until Microsoft patches RedSun. Defense-in-depth measures matter more than usual.
Affected
Windows 10, Windows 11, and Windows Server 2019 and later systems with Windows Defender enabled. The exploit works on fully-patched systems including the April 2026 Patch Tuesday updates. Any attacker with local unprivileged access (via phishing, drive-by download, or stolen credentials) can escalate to SYSTEM.
Fix
No patch available yet. Immediate mitigations: (1) Block execution of untrusted binaries from user-writable directories via AppLocker or Windows Defender Application Control - this prevents the initial foothold required for RedSun. (2) Monitor EDR for unexpected file writes to System32 and NTFS junction creation. (3) Apply the April Patch Tuesday updates anyway to close BlueHammer (CVE-2026-33825) and other critical flaws - RedSun is a separate issue. (4) Watch for Microsoft's out-of-band update or May Patch Tuesday fix.
Related Articles
vulnerabilityUnpatched Windows BitLocker bypass and SYSTEM elevation PoCs dropped on GitHub by a disgruntled researcher - YellowKey and GreenPlasma hit Windows 11 and Server 2022/2025
vulnerabilityMicrosoft's May 2026 Patch Tuesday fixes 120 flaws and no zero-days for the first time since June 2024 - but a Word preview-pane bug and DNS Client RCE stand out as the priorities
vulnerabilityGoogle says hackers used AI to build first known zero-day for 2FA bypass in unnamed web admin tool