Full Report
A researcher known as "Chaotic Eclipse" has published a proof-of-concept exploit for a second Microsoft Defender zero-day, dubbed "RedSun," in the past two weeks, protesting how the company works with cybersecurity researchers. [...]
Analysis Summary
# Vulnerability: RedSun - Microsoft Defender Local Privilege Escalation
## CVE Details
- **CVE ID**: Not yet assigned (Currently a zero-day).
- **CVSS Score**: Estimated 7.8 (High) - based on typical LPE metrics.
- **CWE**: CWE-59 (Improper Link Resolution Before File Access) / CWE-367 (Time-of-check Time-of-use Race Condition).
## Affected Systems
- **Products**: Microsoft Defender and Windows Cloud Files API.
- **Versions**: Windows 10, Windows 11, and Windows Server 2019 and later (confirmed up to April 2026 patches).
- **Configurations**: Systems where Windows Defender is enabled and active.
## Vulnerability Description
RedSun is a Local Privilege Escalation (LPE) flaw that exploits a logic error in how Microsoft Defender handles malicious files tagged with "cloud tags." When Defender identifies a malicious file (such as one containing the EICAR test string) associated with the Cloud Files API, it attempts to rewrite the file to its original location.
The vulnerability utilizes a directory junction/reparse point to redirect this rewrite operation. An attacker uses an "oplock" (opportunistic lock) to win a race condition during a volume shadow copy process. This allows the attacker to redirect Defender’s write operation (performed with SYSTEM privileges) to overwrite a protected system binary—specifically `C:\Windows\system32\TieringEngineService.exe`—with an attacker-controlled executable. The Cloud Files infrastructure then executes this hijacked service as **SYSTEM**.
## Exploitation
- **Status**: PoC available; exploited in a public "protest" context.
- **Complexity**: Medium (requires winning a race condition and manipulating reparse points).
- **Attack Vector**: Local (requires initial access to the machine).
## Impact
- **Confidentiality**: High (Full access to all data on the system).
- **Integrity**: High (Ability to overwrite system files and modify OS behavior).
- **Availability**: High (Ability to delete or corrupt critical system components).
## Remediation
### Patches
- **No patch currently available.** The vulnerability was reported as active and functional on systems fully patched as of the April 2026 Patch Tuesday updates.
### Workarounds
- **Monitor System Directories**: Monitor for unauthorized changes to `TieringEngineService.exe` or suspicious creation of directory junctions by non-admin users.
- **EDR/AV Tuning**: While Defender is the vulnerable component, third-party EDR solutions may detect the "RedSun" exploit binary or the EICAR string embedded within it.
## Detection
- **Indicators of Compromise (IOCs)**:
- Modifications to `C:\Windows\system32\TieringEngineService.exe`.
- Presence of the EICAR test string in unusual or obfuscated local files.
- Execution of `TieringEngineService.exe` performing unexpected network or administrative tasks.
- **Detection Methods**:
- Audit for use of `fsutil` or similar tools creating reparse points in user-writable directories.
- Monitor for File System Oplock events followed by privileged file writes.
## References
- **Researcher PoC**: hxxps[://]github[.]com/Nightmare-Eclipse/RedSun
- **Technical Writeup**: hxxps[://]nefariousplan[.]com/posts/redsun-windows-defender-system-write/
- **BleepingComputer Article**: hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges/
- **Analysis by Will Dormann**: hxxps[://]infosec[.]exchange/@wdormann/116412019416916182