New Microsoft Defender “RedSun” zero-day PoC grants SYSTEM privileges

A researcher referred to as “Chaotic Eclipse” has printed a proof-of-concept exploit for a 2nd Microsoft Defender zero-day, dubbed “RedSun,” previously two weeks, protesting how the corporate works with cybersecurity researchers.

This exploit is for an area privilege escalation (LPE) flaw that grants SYSTEM privileges in Home windows 10, Home windows 11, and Home windows Server on the newest April Patch Tuesday patches, when Home windows Defender is enabled.

“When Home windows Defender realizes {that a} malicious report has a cloud tag, for no matter silly and hilarious explanation why, the antivirus that is intended to offer protection to comes to a decision that this is a excellent concept to simply rewrite the report it discovered once more to it is unique location,” explains the researcher.

“The PoC abuses this behaviour to overwrite machine recordsdata and achieve administrative privileges.”

Will Dormann, important vulnerability analyst at Tharros, has showed to BleepingComputer that the exploit for the brand new Microsoft Defender RedSun zero-day works and grants SYSTEM privileges on totally patched Home windows 10, Home windows 11, and Home windows Server 2019 and later.

“This Exploit makes use of the ‘Cloud Information API’, writes EICAR to a report the use of it, makes use of an oplock to win a quantity shadow reproduction race, and makes use of a listing junction/reparse level to redirect the report rewrite (with new contents) to C:Windowssystem32TieringEngineService.exe,” Dormann wrote in a thread on Mastodon.

“At this level, the Cloud Information Infrastructure runs the attacker-planted TieringEngineService.exe (which is the RedSun.exe exploit itself) as SYSTEM. Sport over.”

Dormann says that some antivirus distributors on VirusTotal are detecting the exploit [VirusTotal] since the exploit executable accommodates an embedded EIRCAR (antivirus check report). Then again, he decreased detections [VirusTotal] by way of encrypting the EICAR string throughout the executable.

A extra detailed technical writeup about this vulnerability used to be shared by way of safety researcher Kevlar.

Remaining week, this researcher, referred to as “Chaotic Eclipse,” launched an exploit for a special Microsoft Defender LPE zero-day, dubbed “BlueHammer,” which is now tracked as CVE-2026-33825. Microsoft mounted the flaw as a part of this month’s Patch Tuesday safety updates.

The researcher says they printed each zero-day PoCs in protest at how Microsoft works with cybersecurity researchers who expose vulnerabilities to the Microsoft Safety Reaction Middle (MSRC).

“Generally, I might pass during the means of begging them to mend a trojan horse however to summarize, I used to be advised for my part by way of them that they are going to wreck my lifestyles and so they did and I am not positive if I used to be the one who had this horride revel in or few other people did however I feel maximum would simply devour it and lower their losses however for me, they took away the whole lot,” alleged the researcher.

“They mopped the ground with me and pulled each infantile sport they may. It used to be soo unhealthy sooner or later I used to be questioning if I used to be coping with an enormous company or somebody who is solely having amusing seeing me undergo however it sort of feels to be a collective determination.”

BleepingComputer contacted the researcher for extra main points on their interplay with the MSRC.

When contacting Microsoft about those alleged problems, they shared the next remark.

“Microsoft has a buyer dedication to research reported safety problems and replace impacted gadgets to offer protection to consumers once conceivable,” a Microsoft spokesperson advised BleepingComputer.

“We additionally fortify coordinated vulnerability disclosure, a extensively followed trade apply that is helping be certain that problems are sparsely investigated and addressed ahead of public disclosure, supporting each buyer coverage and the safety analysis neighborhood.”