Unpacking RedSun: The Unpatched Windows Defender Logic Flaw Allowing SYSTEM Privilege
The RedSun vulnerability represents an unpatched, critical logic flaw within Microsoft Windows Defender's file remediation path, allowing a standard, unprivileged user to escalate privileges to SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems. This zero-day exploit bypasses User Account Control (UAC) and does not require kernel exploits or administrative interaction. The core of RedSun lies in Defender's handling of cloud-tagged malicious files, where it attempts to rewrite the detected file back to its original location without proper validation of reparse points, which attackers can weaponize to redirect privileged write operations into critical system directories like C:\Windows\System32.
Technical Deep Dive: The Cloud Tag and Reparse Point Abuse
At its essence, the RedSun exploit leverages a fundamental misunderstanding or oversight in how Windows Defender (specifically, the MpSvc.dll component of the Microsoft Malware Protection Engine, MsMpEng.exe) processes files identified as malicious and "cloud-tagged." When such a file is detected, Defender, operating with SYSTEM privileges, initiates a "restore" or "remediation" action that paradoxically involves rewriting the file to its original path. The vulnerability arises because Defender fails to validate whether the original path has been replaced with a symbolic link or a directory junction (reparse point) during this privileged write operation.
The attack chain for RedSun typically unfolds as follows:
- Initial File Placement: An attacker, with low-level user privileges, places an EICAR test file or a similar benign file that Windows Defender will detect as malicious and "cloud-tag." This file is often placed in a user-controlled, writable directory. The Windows Cloud Files API (
cldapi.dll) can be instrumental in this initial stage, especially for triggering specific Defender behaviors. - Opportunistic Lock (Oplock) Acquisition: The attacker then utilizes an opportunistic lock (oplock) to pause Defender's file restoration process mid-operation. Oplocks are a Windows file system feature that allows applications to request notification when other applications attempt to access a file, or to temporarily control file access. By acquiring an exclusive oplock, the attacker can force Defender to wait.
- Reparse Point Manipulation: During the window created by the oplock, the attacker quickly deletes the original target directory and replaces it with a directory junction or symbolic link. This reparse point is crafted to redirect the file write operation to a critical system directory, such as
C:\Windows\System32. - Privileged File Overwrite: When Defender's remediation process resumes, it attempts to write the "restored" file, now following the attacker-controlled reparse point, into
C:\Windows\System32. SinceMsMpEng.exeoperates with SYSTEM privileges, this write operation succeeds, effectively overwriting a legitimate system binary (e.g.,TieringEngineService.exe, a DLL, or another executable) with attacker-controlled content. - SYSTEM Code Execution: Finally, the attacker triggers the execution of the overwritten system binary, achieving arbitrary code execution with full SYSTEM privileges.
This attack vector is particularly insidious because it subverts a security mechanism into an elevation of privilege primitive. Unlike vulnerabilities that rely on memory corruption or complex kernel exploits, RedSun exploits a logical flaw in an otherwise intended remediation workflow. The root cause has been identified as a missing reparse point validation within MpSvc.dll.
Prerequisites and Attack Surface
Exploiting RedSun requires only local, unprivileged access to the target system. No user interaction beyond the initial setup of the malicious file and reparse points is necessary. The vulnerability affects any Windows system running Windows Defender with the cldapi.dll component present, which encompasses Windows 10, Windows 11, and Windows Server 2019 and later. The exploit has been demonstrated to function with high reliability on fully patched systems, including those with the latest April 2026 updates applied.
The attack surface is broad, as Windows Defender is a ubiquitous component of modern Windows environments. Organizations relying solely on Defender's built-in protections without additional behavioral monitoring or zero-day exploit mitigation strategies are particularly exposed.
Comparative Analysis: RedSun vs. BlueHammer (CVE-2026-33825)
RedSun emerged publicly shortly after another significant Windows Defender local privilege escalation (LPE) flaw, dubbed "BlueHammer," which was assigned CVE-2026-33825. While both were disclosed by the same security researcher, "Chaotic Eclipse" (also known as Nightmare-Eclipse), they represent distinct vulnerabilities.
| Feature | RedSun | BlueHammer (CVE-2026-33825) |
|---|---|---|
| Vulnerability Type | Logic flaw in file remediation path (reparse point abuse) | Insufficient granularity of access control |
| Privilege Escalation | Local Privilege Escalation (LPE) to SYSTEM | Local Privilege Escalation (LPE) to SYSTEM |
| Patch Status (as of April 2026) | Unpatched | Patched (April 2026 Patch Tuesday) |
| Affected Components | MpSvc.dll (Malware Protection Engine) and cloud file handling |
Microsoft Defender (general access control) |
| Exploit Reliability | Approximately 100% reliable | High, working PoC ("BlueHammer") existed prior to patch |
The distinction is crucial: BlueHammer was addressed in the April 2026 Patch Tuesday cycle, demonstrating Microsoft's response to that specific flaw. RedSun, however, remains an active, unpatched zero-day, highlighting a persistent architectural weakness within Defender's interaction with the file system.
Exploitation Methodology and Proof-of-Concept (Conceptual)
While the full proof-of-concept (PoC) code for RedSun has not been publicly released by the researcher, the methodology has been well-documented. A conceptual PoC would involve using Windows API calls for file and directory manipulation, coupled with oplock management. The general flow would resemble:
# Conceptual steps for RedSun exploitation
# (This is illustrative and not runnable code)
# 1. Create a temporary directory in a user-writable location
mkdir C:\Users\Public\RedSunTemp
# 2. Place a file that Defender will cloud-tag as malicious
# (e.g., EICAR test string in a .txt file, renamed to .bin or similar)
echo X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > C:\Users\Public\RedSunTemp\malicious.bin
# 3. Monitor for Defender's initial scan and cloud-tagging.
# This might involve observing file locks or process activity.
# 4. Acquire an exclusive oplock on the "malicious.bin" file to pause Defender's remediation.
# This requires custom C++ or PowerShell scripts leveraging FileOpLock APIs.
# Example (pseudo-code):
# $fileHandle = CreateFile("C:\Users\Public\RedSunTemp\malicious.bin", ...)
# RequestOplock($fileHandle, OPLOCK_EXCLUSIVE)
# 5. While oplock holds, rapidly delete the original directory and create a junction.
# This is a race condition:
# rmdir /s /q C:\Users\Public\RedSunTemp
# mklink /J C:\Users\Public\RedSunTemp C:\Windows\System32
# 6. Release the oplock, allowing Defender to resume its write operation.
# ReleaseOplock($fileHandle)
# 7. Defender writes the "restored" malicious file into C:\Windows\System32 via the junction.
# The attacker needs to choose a suitable target file in System32.
# Common targets include binaries that are infrequently accessed but executed with SYSTEM privileges.
# 8. Trigger the execution of the overwritten binary to gain SYSTEM shell.
# e.g., if TieringEngineService.exe was overwritten:
# sc start TieringEngineService
# OR if a DLL was overwritten and loaded by a SYSTEM process.
The reliability of this attack stems from the deterministic nature of Defender's remediation process and the ability to control the timing with oplocks. Security researchers often leverage tools like Process Monitor to observe file system interactions and identify vulnerable execution paths, which can be critical for developing such exploits. Organizations can use platforms like Zondex for internet-wide scanning to identify exposed services that might serve as initial footholds for attackers before they pivot to local privilege escalation. For anonymous research and testing of similar vulnerabilities, routing traffic through secure proxies like GProxy can be beneficial to protect one's operational security.
Impact and Severity
The impact of RedSun is severe. Gaining SYSTEM privileges allows an attacker complete control over the compromised system, enabling them to:
- Install persistent backdoors and rootkits.
- Disable security software and logging.
- Access and exfiltrate sensitive data.
- Create new administrative accounts.
- Move laterally within a network.
The fact that this is an unpatched zero-day, actively exploited in the wild, elevates its criticality. Organizations should treat RedSun as an extreme threat, requiring immediate attention to detection and mitigation strategies. This closely mirrors the urgency required for issues like actively exploited SharePoint vulnerabilities or critical authentication bypasses such as CVE-2026-35616.
Detection and Mitigation Strategies (Pre-Patch)
Given the unpatched status of RedSun, traditional patch management is not an option. Defenders must focus on behavioral detection and proactive hardening:
- Endpoint Detection and Response (EDR) Monitoring: Implement robust EDR solutions to monitor for suspicious activities related to Windows Defender processes (
MsMpEng.exe). Specifically, look forMsMpEng.exeperforming unexpected write operations to protected system directories (e.g.,C:\Windows\System32\) immediately following a malware detection event. - File System Monitoring: Monitor for the creation of symbolic links (
mklink /Dormklink /J) or NTFS mount points by unprivileged users, especially those targeting internal Defender staging paths likeC:\ProgramData\Microsoft\Windows Defender\Scans\RT. Tools like Osquery can be configured to alert on such events. - Tamper Protection: Ensure Windows Defender's Tamper Protection is enabled. While it may not fully prevent the reparse point abuse, it adds a layer of defense by preventing unauthorized changes to Defender's security features.
- Behavioral Analysis: Look for anomalous process creation, particularly any attempts by low-privileged processes to execute binaries within
C:\Windows\System32that have been recently modified or have unusual hashes. - VSS Enumeration: Monitor for Volume Shadow Copy Service (VSS) enumeration from non-SYSTEM processes. Calls to
NtQueryDirectoryObjecttargetingHarddiskVolumeShadowCopy*from user-space processes outside of legitimate system and backup tooling can be an indicator of compromise. - Attack Surface Management (ASM): Proactively identify and reduce potential initial access vectors. An effective External Attack Surface Management (EASM) platform like Secably can continuously scan for vulnerabilities, misconfigurations, and exposed assets that attackers might leverage for an initial foothold before attempting local privilege escalation. Starting a free EASM scan can quickly highlight critical exposure points.
- Principle of Least Privilege: Reinforce the principle of least privilege across all user accounts. Even though RedSun bypasses UAC, reducing the number of processes running with elevated privileges generally reduces the overall risk surface.
The RedSun vulnerability underscores the ongoing challenge of securing complex software like operating systems and their integrated security components. It highlights that even trusted, highly privileged processes can harbor logic flaws that lead to devastating outcomes. The vulnerability is a stark reminder that a holistic approach to cybersecurity, encompassing proactive vulnerability scanning, rigorous endpoint monitoring, and an understanding of advanced attack techniques, is paramount.
The RedSun vulnerability represents an unpatched, critical logic flaw within Microsoft Windows Defender's file remediation path, allowing a standard, unprivileged user to escalate privileges to SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems. This zero-day exploit bypasses User Account Control (UAC) and does not require kernel exploits or administrative interaction. The core of RedSun lies in Defender's handling of cloud-tagged malicious files, where it attempts to rewrite the detected file back to its original location without proper validation of reparse points, which attackers can weaponize to redirect privileged write operations into critical system directories like C:\Windows\System32. [cite: 3, 6]
Technical Deep Dive: The Cloud Tag and Reparse Point Abuse
At its essence, the RedSun exploit leverages a fundamental misunderstanding or oversight in how Windows Defender (specifically, the MpSvc.dll component of the Microsoft Malware Protection Engine, MsMpEng.exe) processes files identified as malicious and "cloud-tagged." When such a file is detected, Defender, operating with SYSTEM privileges, initiates a "restore" or "remediation" action that paradoxically involves rewriting the file to its original path. The vulnerability arises because Defender fails to validate whether the original path has been replaced with a symbolic link or a directory junction (reparse point) during this privileged write operation. [cite: 3, 6]
The attack chain for RedSun typically unfolds as follows:
- Initial File Placement: An attacker, with low-level user privileges, places an EICAR test file or a similar benign file that Windows Defender will detect as malicious and "cloud-tag." This file is often placed in a user-controlled, writable directory. The Windows Cloud Files API (
cldapi.dll) can be instrumental in this initial stage, especially for triggering specific Defender behaviors. [cite: 6, 17] - Opportunistic Lock (Oplock) Acquisition: The attacker then utilizes an opportunistic lock (oplock) to pause Defender's file restoration process mid-operation. Oplocks are a Windows file system feature that allows applications to request notification when other applications attempt to access a file, or to temporarily control file access. By acquiring an exclusive oplock, the attacker can force Defender to wait.
- Reparse Point Manipulation: During the window created by the oplock, the attacker quickly deletes the original target directory and replaces it with a directory junction or symbolic link. This reparse point is crafted to redirect the file write operation to a critical system directory, such as
C:\Windows\System32. - Privileged File Overwrite: When Defender's remediation process resumes, it attempts to write the "restored" file, now following the attacker-controlled reparse point, into
C:\Windows\System32. SinceMsMpEng.exeoperates with SYSTEM privileges, this write operation succeeds, effectively overwriting a legitimate system binary (e.g.,TieringEngineService.exe, a DLL, or another executable) with attacker-controlled content. [cite: 6] - SYSTEM Code Execution: Finally, the attacker triggers the execution of the overwritten system binary, achieving arbitrary code execution with full SYSTEM privileges.
This attack vector is particularly insidious because it subverts a security mechanism into an elevation of privilege primitive. Unlike vulnerabilities that rely on memory corruption or complex kernel exploits, RedSun exploits a logical flaw in an otherwise intended remediation workflow. The root cause has been identified as a missing reparse point validation within MpSvc.dll. [cite: 3]
Prerequisites and Attack Surface
Exploiting RedSun requires only local, unprivileged access to the target system. No user interaction beyond the initial setup of the malicious file and reparse points is necessary. The vulnerability affects any Windows system running Windows Defender with the cldapi.dll component present, which encompasses Windows 10, Windows 11, and Windows Server 2019 and later. [cite: 3, 6] The exploit has been demonstrated to function with high reliability on fully patched systems, including those with the latest April 2026 updates applied. [cite: 3, 6]
The attack surface is broad, as Windows Defender is a ubiquitous component of modern Windows environments. Organizations relying solely on Defender's built-in protections without additional behavioral monitoring or zero-day exploit mitigation strategies are particularly exposed.
Comparative Analysis: RedSun vs. BlueHammer (CVE-2026-33825)
RedSun emerged publicly shortly after another significant Windows Defender local privilege escalation (LPE) flaw, dubbed "BlueHammer," which was assigned CVE-2026-33825. While both were disclosed by the same security researcher, "Chaotic Eclipse" (also known as Nightmare-Eclipse), they represent distinct vulnerabilities. [cite: 2, 5, 6, 17]
| Feature | RedSun | BlueHammer (CVE-2026-33825) |
|---|---|---|
| Vulnerability Type | Logic flaw in file remediation path (reparse point abuse) [cite: 3, 6] | Insufficient granularity of access control [cite: 8, 12, 17] |
| Privilege Escalation | Local Privilege Escalation (LPE) to SYSTEM [cite: 3, 6] | Local Privilege Escalation (LPE) to SYSTEM [cite: 2, 5] |
| Patch Status (as of April 2026) | Unpatched [cite: 3, 5, 6] | Patched (April 2026 Patch Tuesday) [cite: 2, 5, 8] |
| Affected Components | MpSvc.dll (Malware Protection Engine) and cloud file handling [cite: 3, 6] |
Microsoft Defender (general access control) [cite: 12] |
| Exploit Reliability | Approximately 100% reliable [cite: 3] | High, working PoC ("BlueHammer") existed prior to patch [cite: 2, 17] |
The distinction is crucial: BlueHammer was addressed in the April 2026 Patch Tuesday cycle, demonstrating Microsoft's response to that specific flaw. RedSun, however, remains an active, unpatched zero-day, highlighting a persistent architectural weakness within Defender's interaction with the file system. [cite: 3, 5, 6]
Exploitation Methodology and Proof-of-Concept (Conceptual)
While the full proof-of-concept (PoC) code for RedSun has not been publicly released by the researcher, the methodology has been well-documented. [cite: 6] A conceptual PoC would involve using Windows API calls for file and directory manipulation, coupled with oplock management. The general flow would resemble:
# Conceptual steps for RedSun exploitation
# (This is illustrative and not runnable code)
# 1. Create a temporary directory in a user-writable location
mkdir C:\Users\Public\RedSunTemp
# 2. Place a file that Defender will cloud-tag as malicious
# (e.g., EICAR test string in a .txt file, renamed to .bin or similar)
echo X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > C:\Users\Public\RedSunTemp\malicious.bin
# 3. Monitor for Defender's initial scan and cloud-tagging.
# This might involve observing file locks or process activity.
# 4. Acquire an exclusive oplock on the "malicious.bin" file to pause Defender's remediation.
# This requires custom C++ or PowerShell scripts leveraging FileOpLock APIs.
# Example (pseudo-code):
# $fileHandle = CreateFile("C:\Users\Public\RedSunTemp\malicious.bin", ...)
# RequestOplock($fileHandle, OPLOCK_EXCLUSIVE)
# 5. While oplock holds, rapidly delete the original directory and create a junction.
# This is a race condition:
# rmdir /s /q C:\Users\Public\RedSunTemp
# mklink /J C:\Users\Public\RedSunTemp C:\Windows\System32
# 6. Release the oplock, allowing Defender to resume its write operation.
# ReleaseOplock($fileHandle)
# 7. Defender writes the "restored" malicious file into C:\Windows\System32 via the junction.
# The attacker needs to choose a suitable target file in System32.
# Common targets include binaries that are infrequently accessed but executed with SYSTEM privileges.
# 8. Trigger the execution of the overwritten binary to gain SYSTEM shell.
# e.g., if TieringEngineService.exe was overwritten:
# sc start TieringEngineService
# OR if a DLL was overwritten and loaded by a SYSTEM process.
The reliability of this attack stems from the deterministic nature of Defender's remediation process and the ability to control the timing with oplocks. Security researchers often leverage tools like Process Monitor to observe file system interactions and identify vulnerable execution paths, which can be critical for developing such exploits. Organizations can use platforms like Zondex for internet-wide scanning to identify exposed services that might serve as initial footholds for attackers before they pivot to local privilege escalation. For anonymous research and testing of similar vulnerabilities, routing traffic through secure proxies like GProxy can be beneficial to protect one's operational security.
Impact and Severity
The impact of RedSun is severe. Gaining SYSTEM privileges allows an attacker complete control over the compromised system, enabling them to:
- Install persistent backdoors and rootkits.
- Disable security software and logging.
- Access and exfiltrate sensitive data.
- Create new administrative accounts.
- Move laterally within a network.
The fact that this is an unpatched zero-day, actively exploited in the wild, elevates its criticality. [cite: 5, 6] Organizations should treat RedSun as an extreme threat, requiring immediate attention to detection and mitigation strategies. This closely mirrors the urgency required for issues like actively exploited SharePoint vulnerabilities or critical authentication bypasses such as CVE-2026-35616.
Detection and Mitigation Strategies (Pre-Patch)
Given the unpatched status of RedSun, traditional patch management is not an option. Defenders must focus on behavioral detection and proactive hardening:
- Endpoint Detection and Response (EDR) Monitoring: Implement robust EDR solutions to monitor for suspicious activities related to Windows Defender processes (
MsMpEng.exe). Specifically, look forMsMpEng.exeperforming unexpected write operations to protected system directories (e.g.,C:\Windows\System32\) immediately following a malware detection event. [cite: 16] - File System Monitoring: Monitor for the creation of symbolic links (
mklink /Dormklink /J) or NTFS mount points by unprivileged users, especially those targeting internal Defender staging paths likeC:\ProgramData\Microsoft\Windows Defender\Scans\RT. Tools like Osquery can be configured to alert on such events. [cite: 16] - Tamper Protection: Ensure Windows Defender's Tamper Protection is enabled. While it may not fully prevent the reparse point abuse, it adds a layer of defense by preventing unauthorized changes to Defender's security features.
- Behavioral Analysis: Look for anomalous process creation, particularly any attempts by low-privileged processes to execute binaries within
C:\Windows\System32that have been recently modified or have unusual hashes. - VSS Enumeration: Monitor for Volume Shadow Copy Service (VSS) enumeration from non-SYSTEM processes. Calls to
NtQueryDirectoryObjecttargetingHarddiskVolumeShadowCopy*from user-space processes outside of legitimate system and backup tooling can be an indicator of compromise. [cite: 3] - Attack Surface Management (ASM): Proactively identify and reduce potential initial access vectors. An effective External Attack Surface Management (EASM) platform like Secably can continuously scan for vulnerabilities, misconfigurations, and exposed assets that attackers might leverage for an initial foothold before attempting local privilege escalation. Starting a free EASM scan can quickly highlight critical exposure points.
- Principle of Least Privilege: Reinforce the principle of least privilege across all user accounts. Even though RedSun bypasses UAC, reducing the number of processes running with elevated privileges generally reduces the overall risk surface.
The RedSun vulnerability underscores the ongoing challenge of securing complex software like operating systems and their integrated security components. It highlights that even trusted, highly privileged processes can harbor logic flaws that lead to devastating outcomes. The vulnerability is a stark reminder that a holistic approach to cybersecurity, encompassing proactive vulnerability scanning, rigorous endpoint monitoring, and an understanding of advanced attack techniques, is paramount.
