Days after Microsoft patched a high-severity issue affecting its Windows Defender antivirus tool through April’s Patch Tuesday, researchers warn of another vulnerability that could enable SYSTEM privileges through local escalation.
In a newly disclosed proof-of-concept (PoC) exploit, dubbed “RedSun,” GitHub user going by the name “Nightmare Eclipse” demonstrated how Microsoft Defender’s handling of certain cloud-tagged files can be abused to overwrite protected system files and escalate privileges.
“When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that’s supposed to protect decides that it is a good idea to just rewrite the file it found again to its original location,” Eclipse wrote in the PoC repository description.
The PoC exploit impacts Windows 10 and Windows 11 systems running Microsoft Defender, specifically builds with cloud files features enabled.
Antivirus rewrites the threat
The RedSun PoC highlights a counterintuitive behavior. Defender’s remediation process may restore a flagged file under certain conditions. Specifically, files tagged with cloud metadata (such as those used by OneDrive and similar services) trigger a different handling path inside the antivirus engine.
Rather than permanently removing the malicious file, Defender attempts to restore it to its original source, rewriting the file back to disk. The PoC exploits this mechanism to, during the rewrite process, manipulate the file contents or destination.
If an attacker can control the timing and location of the rewrite, they can replace legitimate system binaries or configuration files with malicious payloads. RedSun demonstrated this exploit to gain SYSTEM-level privileges.
Will Dormann from Infosec Exchange verified the PoC using the Cloud Files API. “This works ~100% reliably to go from unprivileged user to SYSTEM against Windows 11 and Windows Server 2019+ with April 2026 updates, as well as Windows 10, as long as you have Windows Defender enabled,” he said. “Any system that has cldapi.dll should be affected.”
Dormann used the Cloud Files API to introduce a specially crafted file, followed by “oplock“ to control file access timing. From there, the exploit leverages Volume Shadow Copy race conditions and directory junctions/reparse points to redirect where Defender writes the file.
Second Defender-based LPE in days
The Defender flaw addressed earlier this week as part of Patch Tuesday was one of the two zero-day bugs Microsoft fixed, and it also allowed local privilege escalation stemming from “insufficient granularity of access control.”
While Microsoft attributed the discovery of the flaw, tracked as CVE-2026-33825, to security researcher Zen Dodd, the flaw already had a PoC exploit, “BlueHammer,” available before it was even fixed. It came from “Chaotic Eclipse,” an alias used by Nightmare Eclipse on other publishing platforms. The flaw received a high-severity rating of 7.8 out of 10.
Eclipse has some disagreements with how Microsoft handled the disclosure of CVE-2026-33825. While it is unknown if “RedSun” was reported to Microsoft before disclosure, the PoC still sits unaddressed.
Microsoft did not immediately respond to CSO’s requests for comments. Dormann confirmed that the exploit is being detected on VirusTotal, but relies heavily on a test file signature (EICAR), which can be handled to some extent with string encryption. “Defender (Microsoft) currently doesn’t detect the exploit in either case,” he noted.
No Responses