RedSun - Microsoft Defender Link Following Local Privilege Escalation
CVE-2026-41091, also referred to as RedSun, is a local elevation-of-privilege vulnerability in Microsoft Defender / Microsoft Malware Protection Engine caused by improper link resolution before file access ('link following'). Available reporting indicates the flaw is in Defender's scanning/remediation workflow, where SYSTEM-privileged file operations can be redirected through attacker-controlled links, junctions, or similar reparse-point mechanisms. More detailed technical reporting states that when Defender processes a malicious file in a user-controlled directory, an attacker can manipulate the path resolution flow so Defender rewrites or accesses content at an unintended location, enabling an arbitrary file write into protected paths such as C:\Windows\System32. The issue is fundamentally a privilege-boundary violation: Defender performs privileged file I/O on attacker-influenced paths without sufficiently defending against redirection. Successful exploitation allows an authorized local attacker to escalate from a standard user context to SYSTEM.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
Small two-file repository containing a single C++ proof-of-concept skeleton and a descriptive README for CVE-2026-41091 ('RedSun'). The code is a local Windows privilege-escalation demonstration targeting Microsoft Defender link-following/remediation behavior. Repository structure is minimal: `CVE-2026-41091.cpp` contains all executable logic, while `README.md` provides vulnerability background, affected versions, mitigation guidance, and references. The exploit capability implemented in code is limited and clearly skeletal. It prints a banner, creates a temporary directory under the current user's temp path, writes a marker string to `malicious.cloud`, and attempts to create a junction object intended to point at `C:\Windows\System32`. It then pauses briefly to simulate a Defender remediation event. Comments explicitly state that the reparse buffer is incomplete and that cloud attributes/reparse handling are not actually implemented. As written, it does not perform a working privileged file write or trigger code execution; instead it models the attack chain conceptually. The intended attack path described by both code comments and README is: a low-privileged local user prepares a cloud-tagged file, abuses directory junctions/reparse points, and relies on Microsoft Defender running as SYSTEM to rewrite or restore the file into a protected location. That would yield arbitrary file write as SYSTEM and potentially enable overwriting a privileged binary such as `TieringEngineService.exe`, followed by execution/activation for full SYSTEM compromise. Because the repository lacks the real cloud-file manipulation, proper reparse-point construction, race logic, and execution trigger, this should be classified as a PoC skeleton rather than an operational exploit. No network communication, C2, remote callbacks, or external service interaction are present in the code. Fingerprintable artifacts are primarily local filesystem targets and references: `%TEMP%\RedSun_PoC`, `%TEMP%\RedSun_PoC\malicious.cloud`, `%TEMP%\RedSun_PoC\junction`, and `C:\Windows\System32`. Overall purpose: educational demonstration of a Defender local privilege escalation technique based on improper link resolution during remediation/rollback.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
89 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A specific Windows zero-day named in the Nightmare-Eclipse/Chaotic Eclipse cluster. The article notes that three of the six vulnerabilities were exploited in the wild before patches were available, but does not identify whether RedSun was one of them.
A local privilege escalation vulnerability in Windows Defender’s remediation workflow that can let an unprivileged user coerce Defender, running as SYSTEM, into writing files into C:\Windows\System32 via Cloud Files placeholders, NTFS junctions, and oplocks, ultimately achieving NT AUTHORITY\SYSTEM code execution.
A Windows zero-day publicly disclosed with working proof-of-concept exploit code; it targeted core Windows components and was later weaponized in real-world attacks, leading to inclusion in CISA's KEV catalog.
Windows zero-day vulnerability publicly disclosed with working exploit; Microsoft says it is already being exploited in real-world attacks.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.