RedSun Exploit Enables SYSTEM Privileges via Windows Defender Flaw

Severity: High (Score: 69.0)

Sources: Cloudsek, Csoonline

Summary

A newly disclosed exploit, named RedSun, allows standard users to escalate privileges to SYSTEM level on Windows systems running Microsoft Defender. This vulnerability arises from a logic flaw in Defender's file remediation process, where it rewrites flagged cloud-tagged files without validating the target path. Attackers can exploit this by manipulating the timing of the file restoration to redirect the write operation to C:\Windows\System32, effectively replacing legitimate files with malicious payloads. The exploit has been confirmed to work on Windows 10 and Windows 11 systems with cloud features enabled. The researcher Chaotic Eclipse publicly released a proof-of-concept (PoC) for this exploit, which has been verified by others in the security community. This vulnerability follows closely on the heels of another privilege escalation issue that Microsoft patched just days prior. The flaw is tracked under CVE-2026-33825, which was also recently disclosed. Microsoft Defender is installed by default on modern Windows systems, increasing the potential impact of this exploit. Key Points: • RedSun exploit allows SYSTEM-level access via a flaw in Windows Defender's remediation process. • The vulnerability affects Windows 10 and 11 systems with cloud features enabled. • This exploit follows another privilege escalation vulnerability patched by Microsoft just days earlier.

Key Entities

• Zero-day Exploit (attack_type)
• CVE-2026-33825 (cve)
• CWE-22 - Path Traversal (cwe)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• Windows (platform)
• Windows Defender (platform)
• Storage Tiers Management Engine COM Server (tool)
• TieringEngineService.exe (tool)
• BlueHammer (vulnerability)
• RedSun (vulnerability)