A Second Defender Zero-Day Released in Two Weeks
A security researcher operating under the pseudonym Chaotic Eclipse has publicly released a proof-of-concept (PoC) exploit for a second Microsoft Defender zero-day vulnerability in the span of just two weeks. The new flaw, nicknamed RedSun, is a local privilege escalation (LPE) bug that enables attackers to obtain full SYSTEM-level privileges on machines running Windows 10, Windows 11, and Windows Server — even when fully updated with the latest April 2026 Patch Tuesday patches and with Windows Defender enabled.
The disclosure comes shortly after the same researcher published another Defender LPE zero-day called BlueHammer, which Microsoft subsequently patched and is now tracked as CVE-2026-33825. Unlike BlueHammer, RedSun remains unpatched at the time of publication.
How the RedSun Exploit Works
The vulnerability stems from unusual behavior in Windows Defender's cloud-based file scanning mechanism. According to Chaotic Eclipse, when Defender identifies a malicious file carrying a cloud tag, it proceeds to rewrite the file back to its original location — an action the researcher described with pointed sarcasm:
"When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to it's original location. The PoC abuses this behaviour to overwrite system files and gain administrative privileges."
The exploit chain leverages several low-level Windows mechanisms. Will Dormann, principal vulnerability analyst at Tharros, independently confirmed to BleepingComputer that the exploit functions as claimed on fully patched Windows 10, Windows 11, and Windows Server 2019 and later versions. Dormann provided a technical breakdown of the attack flow on Mastodon:
"This Exploit uses the 'Cloud Files API', writes EICAR to a file using it, uses an oplock to win a volume shadow copy race, and uses a directory junction/reparse point to redirect the file rewrite (with new contents) to C:\Windows\system32\TieringEngineService.exe. At this point, the Cloud Files Infrastructure runs the attacker-planted TieringEngineService.exe (which is the RedSun.exe exploit itself) as SYSTEM. Game over."
Step-by-Step Attack Chain
To summarize the technical mechanics confirmed by Dormann, the exploit proceeds through the following stages:
- The attacker writes an EICAR antivirus test string to a file using the Cloud Files API.
- An oplock (opportunistic lock) is used to win a race condition against a volume shadow copy operation.
- A directory junction or reparse point redirects Defender's file rewrite operation to overwrite the legitimate system binary
C:\Windows\system32\TieringEngineService.exe. - The Cloud Files Infrastructure then executes the attacker-planted version of that executable — which is the RedSun exploit binary itself — with SYSTEM privileges.
Detection Evasion and VirusTotal Findings
Because the exploit executable embeds an EICAR test string, several antivirus vendors on VirusTotal were initially flagging it. However, Dormann noted that encrypting the EICAR string within the binary significantly reduced the number of detections on the platform, raising concerns about how easily the exploit could be further obfuscated to evade security tooling. A more thorough technical write-up covering the vulnerability's internals was also published separately by security researcher Kevlar.
The Researcher's Grievance with Microsoft's MSRC
Chaotic Eclipse stated that both zero-day PoC releases were acts of protest against how Microsoft's Security Response Center (MSRC) treats cybersecurity researchers who responsibly disclose vulnerabilities. The researcher made serious allegations against the company, claiming they were personally threatened by Microsoft representatives:
"Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did and I'm not sure if I was the only who had this horride experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything. They mopped the floor with me and pulled every childish game they could."
BleepingComputer contacted Chaotic Eclipse for further specifics regarding their interactions with the MSRC. Microsoft, for its part, responded with a statement that did not directly address the researcher's allegations:
"Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible. We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community."
What Users and Administrators Should Know
At present, there is no official patch available for the RedSun zero-day. The exploit requires local access to a target machine, which limits its immediate threat surface compared to remote code execution flaws. However, LPE vulnerabilities are frequently chained with other exploits to fully compromise systems after an initial foothold is established.
Key facts to be aware of include:
- The vulnerability affects Windows 10, Windows 11, and Windows Server 2019 and later.
- The exploit functions on systems with the latest April 2026 Patch Tuesday updates applied.
- The attack requires Windows Defender to be enabled and exploits its cloud file-handling behavior.
- A working PoC is publicly available, raising the risk of real-world exploitation.
- The predecessor zero-day, BlueHammer (CVE-2026-33825), was patched in April 2026's Patch Tuesday cycle.
Security teams are advised to monitor for unusual activity involving TieringEngineService.exe, track oplock and reparse point usage, and watch for Microsoft's response and any out-of-band patch that may be issued to address RedSun.
Source: BleepingComputer