RedSun: Second Windows Defender Zero-Day Drops in Two Weeks

The security researcher who leaked the BlueHammer exploit two weeks ago has published another Windows Defender zero-day. RedSun enables local privilege escalation to SYSTEM on fully patched Windows 10, Windows 11, and Windows Server systems—and unlike BlueHammer, no patch exists yet.

The researcher, operating as "Chaotic Eclipse," released the working proof-of-concept on GitHub following what they describe as mistreatment by Microsoft's Security Response Center.

How RedSun Works

Security analyst Will Dormann provided technical context on the exploit mechanics. RedSun abuses how Windows Defender handles files tagged with cloud attributes.

"When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to its original location," the researcher explained in their disclosure.

The attack chain exploits this behavior through multiple primitives:

1. Cloud Files API abuse - The exploit writes a test malware signature (EICAR) to a file using the Cloud Files API
2. Oplock race condition - An opportunistic lock wins a race against volume shadow copy operations
3. Directory junction redirect - The exploit redirects Defender's file rewrite to C:\Windows\System32\TieringEngineService.exe

By tricking Defender into overwriting a critical system file, the attacker gains SYSTEM-level code execution from an unprivileged account.

Relationship to BlueHammer

RedSun represents a distinct vulnerability from BlueHammer, though both exploit Windows Defender's file handling. BlueHammer used a time-of-check to time-of-use (TOCTOU) race condition in Defender's threat remediation logic. Microsoft patched BlueHammer in the April 2026 Patch Tuesday update as CVE-2026-33825.

RedSun exploits different Defender behavior—specifically how the antivirus handles cloud-tagged files. The two vulnerabilities demonstrate that Windows Defender's file operations contain multiple exploitable race conditions.

Both exploits share a common impact: privilege escalation from standard user to SYSTEM, giving attackers complete control over affected machines.

Researcher Frustration with MSRC

Chaotic Eclipse released both exploits publicly without coordinating patches with Microsoft. Their statements suggest significant frustration with the disclosure process.

"They will ruin my life and they did," the researcher stated, describing their interactions with Microsoft's Security Response Center.

Microsoft responded to the disclosures by emphasizing their commitment to "coordinated vulnerability disclosure" and stated they support "both customer protection and the security research community."

The controversy highlights ongoing tensions in vulnerability disclosure. Researchers sometimes feel that vendors downplay severity, delay patches, or fail to communicate adequately. Vendors argue that public exploit releases before patches endanger users. Both perspectives have merit, though the practical result here is that Windows systems face two weeks of active zero-day exposure.

Impact Assessment

RedSun requires local access to exploit—attackers need an initial foothold before using it for privilege escalation. This limits drive-by exploitation but makes the vulnerability extremely valuable for:

• Post-exploitation scenarios - Attackers who establish access through phishing or other means gain reliable SYSTEM access
• Malware authors - Infostealers and ransomware can incorporate the technique for consistent privilege escalation
• Insider threats - Employees or contractors with limited access can elevate to administrative control

The combination of public exploit code and no available patch creates a window of opportunity that sophisticated attackers will exploit. Organizations should assume active exploitation attempts are underway.

Why This Matters

Two Windows Defender zero-days in two weeks demonstrates systemic issues in the antivirus's file handling logic. Defender is enabled by default on hundreds of millions of Windows installations, making any privilege escalation vulnerability high-impact.

The irony of an antivirus product enabling privilege escalation isn't lost on defenders. Security software operates with elevated privileges precisely to protect systems—when that software becomes the attack vector, the fundamental security model breaks down.

Recommendations

Until Microsoft releases a patch, organizations have limited defensive options:

1. Monitor privilege escalation attempts - Enhanced endpoint detection focusing on unexpected SYSTEM-level process creation
2. Audit TieringEngineService.exe - Watch for modifications to this specific system file
3. Limit local access - Reduce the number of users and processes that could leverage the exploit
4. Enable audit logging - Track file system operations in C:\Windows\System32\ for unusual activity

Security teams should treat this as an active threat and communicate the risk to leadership. The ongoing vulnerability disclosure controversy around these exploits shouldn't distract from the practical reality: working exploit code exists, patches don't, and attackers are watching.