{"id":7857,"date":"2026-04-17T11:55:14","date_gmt":"2026-04-17T11:55:14","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7857"},"modified":"2026-04-17T11:55:14","modified_gmt":"2026-04-17T11:55:14","slug":"another-microsoft-defender-privilege-escalation-bug-emerges-days-after-patch","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7857","title":{"rendered":"Another Microsoft Defender privilege escalation bug emerges days after patch"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Days after Microsoft patched a high-severity issue affecting its Windows Defender antivirus tool through April\u2019s Patch Tuesday, researchers warn of another vulnerability that could enable SYSTEM privileges through local escalation.<\/p>\n<p>In a newly disclosed proof-of-concept (PoC) exploit, dubbed \u201cRedSun,\u201d GitHub user going by the name \u201cNightmare Eclipse\u201d demonstrated how Microsoft Defender\u2019s handling of certain cloud-tagged files can be abused to overwrite protected system files and escalate privileges.<\/p>\n<p>\u201cWhen Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that\u2019s supposed to protect decides that it is a good idea to just rewrite the file it found again to its original location,\u201d Eclipse <a href=\"https:\/\/github.com\/Nightmare-Eclipse\/RedSun\" target=\"_blank\" rel=\"noopener\">wrote<\/a> in the PoC repository description.<\/p>\n<p>The PoC exploit impacts Windows 10 and Windows 11 systems running Microsoft Defender, specifically builds with cloud files features enabled.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Antivirus rewrites the threat<\/h2>\n<p>The RedSun PoC highlights a counterintuitive behavior. Defender\u2019s remediation process may restore a flagged file under certain conditions. Specifically, files tagged with cloud metadata (such as those used by OneDrive and similar services) trigger a different handling path inside the antivirus engine.<\/p>\n<p>Rather than permanently removing the malicious file, Defender attempts to restore it to its original source, rewriting the file back to disk. The PoC exploits this mechanism to, during the rewrite process, manipulate the file contents or destination.<\/p>\n<p>If an attacker can control the timing and location of the rewrite, they can replace legitimate system binaries or configuration files with malicious payloads. RedSun demonstrated this exploit to gain SYSTEM-level privileges.<\/p>\n<p>Will Dormann from Infosec Exchange verified the PoC using the Cloud Files API. \u201cThis works ~100% reliably to go from unprivileged user to SYSTEM against Windows 11 and Windows Server 2019+ with April 2026 updates, as well as Windows 10, as long as you have Windows Defender enabled,\u201d he said. \u201cAny system that has cldapi.dll should be affected.\u201d<\/p>\n<p>Dormann used the Cloud Files API to introduce a specially crafted file, followed by \u201coplock\u201c to control file access timing. From there, the exploit leverages Volume Shadow Copy race conditions and directory junctions\/reparse points to redirect where Defender writes the file.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Second Defender-based LPE in days<\/h2>\n<p>The Defender flaw addressed <a href=\"https:\/\/www.csoonline.com\/article\/4158706\/april-patch-tuesday-roundup-zero-day-vulnerabilities-and-critical-bugs.html\">earlier this week<\/a> as part of Patch Tuesday was one of the two zero-day bugs Microsoft fixed, and it also allowed local privilege escalation stemming from \u201cinsufficient granularity of access control.\u201d<\/p>\n<p>While Microsoft attributed the discovery of the flaw, tracked as CVE-2026-33825, to security researcher Zen Dodd, the flaw already had a PoC exploit, \u201cBlueHammer,\u201d available before it was even fixed. It came from \u201cChaotic Eclipse,\u201d an alias used by Nightmare Eclipse on other publishing platforms. The flaw received a high-severity rating of 7.8 out of 10.<\/p>\n<p>Eclipse has some <a href=\"https:\/\/deadeclipse666.blogspot.com\/2026\/04\/public-disclosure-response-for-cve-2026.html\" target=\"_blank\" rel=\"noopener\">disagreements<\/a> with how Microsoft handled the disclosure of CVE-2026-33825. While it is unknown if \u201cRedSun\u201d was reported to Microsoft before disclosure, the PoC still sits unaddressed.<\/p>\n<p>Microsoft did not immediately respond to CSO\u2019s requests for comments. Dormann confirmed that the exploit is being detected on VirusTotal, but relies heavily on a test file signature (EICAR), which can be handled to some extent with string encryption. \u201cDefender (Microsoft)\u00a0 currently doesn\u2019t detect the exploit in either case,\u201d he noted.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Days after Microsoft patched a high-severity issue affecting its Windows Defender antivirus tool through April\u2019s Patch Tuesday, researchers warn of another vulnerability that could enable SYSTEM privileges through local escalation. In a newly disclosed proof-of-concept (PoC) exploit, dubbed \u201cRedSun,\u201d GitHub user going by the name \u201cNightmare Eclipse\u201d demonstrated how Microsoft Defender\u2019s handling of certain cloud-tagged [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7858,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7857","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7857"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7857"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7857\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7858"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}