A proof-of-concept exploit for a new Microsoft Defender local privilege escalation flaw dubbed RedSun was published by researcher Chaotic Eclipse, with reports saying it works on fully patched Windows 10, Windows 11, and Windows Server 2019 and later when Defender is enabled. The zero-day allows an unprivileged local user to gain SYSTEM privileges by abusing Defender’s handling of files tagged by cloud detection, and Microsoft had not released a patch at the time of reporting.
Independent researcher Will Dormann reportedly validated the exploit chain, which uses the Windows Cloud Files API, opportunistic locks, and NTFS junctions/reparse points to redirect Defender into overwriting a protected binary under C:\Windows\System32 and then executing it as SYSTEM. The disclosure followed an earlier Defender privilege-escalation exploit, BlueHammer, which Microsoft patched as CVE-2026-33825, while defenders were urged to watch for anomalous Defender file writes, cldapi.dll activity, and oplock-assisted redirection behavior pending a vendor fix.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
CISA added Microsoft Defender privilege-escalation flaw CVE-2026-33825 to its Known Exploited Vulnerabilities catalog following reports of active exploitation. Under Binding Operational Directive 22-01, federal agencies were ordered to remediate the flaw by 2026-05-06.
Following public disclosure of RedSun, Microsoft had not yet released a patch and responded by reaffirming its commitment to coordinated vulnerability disclosure and customer protection. The researcher said the RedSun and BlueHammer disclosures were made in protest over alleged mistreatment by Microsoft's Security Response Center.
Researcher Will Dormann independently confirmed RedSun could be exploited reliably on fully patched systems. He described the attack chain as abusing the Cloud Files API, oplock timing, and NTFS junctions or reparse points to overwrite and execute a protected system binary as SYSTEM.
A researcher using the names Chaotic Eclipse and Nightmare Eclipse published a proof-of-concept exploit for a second new Microsoft Defender zero-day called UnDefend. The exploit was disclosed alongside RedSun after the earlier BlueHammer release, expanding the set of publicly available Defender privilege-escalation techniques.
Chaotic Eclipse published a proof-of-concept exploit for a new Microsoft Defender local privilege escalation zero-day called RedSun. The exploit reportedly works on fully patched Windows 10, Windows 11, and Windows Server systems with Defender enabled, allowing escalation to SYSTEM.
Microsoft fixed the previously disclosed BlueHammer Microsoft Defender privilege escalation flaw during April 2026 Patch Tuesday and tracked it as CVE-2026-33825.
Huntress Labs reported that threat actors were actively exploiting the recently disclosed BlueHammer, RedSun, and UnDefend Windows zero-days in attacks. The report said BlueHammer exploitation had been seen since April 10, while RedSun and UnDefend were observed on a device initially compromised through a stolen SSLVPN account.
Researcher Chaotic Eclipse earlier released a Microsoft Defender local privilege escalation exploit dubbed BlueHammer. The disclosure preceded RedSun and was later cited as part of the same dispute over Microsoft's vulnerability handling.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
17 references tracked. Mallory keeps watching after this page renders.
securityaffairs.com
Open sourcedarkreading.com
Open sourcescworld.com
Open sourcetechrepublic.com
Open sourcecloudsek.com
Open sourcegbhackers.com
Open sourcebleepingcomputer.com
Open sourcecoresecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.