A security researcher known as Chaotic Eclipse has published a proof-of-concept (POC) exploit for a second unpatched Microsoft Defender zero-day, dubbed RedSun, less than two weeks after releasing a similar flaw.
The exploit delivers SYSTEM privileges on Windows 10, Windows 11, and Windows Server 2019 and later, including machines that have applied the April Patch Tuesday updates.
RedSun abuses the way Windows Defender handles files marked with a cloud tag through the Windows Cloud Files API. Rather than delete a flagged file, Defender attempts to restore it to its original location.
The exploit hijacks Defender’s privileged restore/write by combining an opportunistic lock with an NTFS directory junction, redirecting the restored content onto a protected system binary such as TieringEngineService.exe, which then executes with SYSTEM privileges.
Will Dormann, principal vulnerability analyst at Tharros, reproduced the technique on fully patched systems and described the resulting state simply as “Game over.”
He also observed that several antivirus engines on VirusTotal flag the POC because it embeds an EICAR test string, though detection rates have been observed to drop consistently if the strings are encrypted inside the executable.
Huntress Confirms Active Exploitation of All Three Tools in the Wild
Earlier this month, the same researcher released BlueHammer, a local privilege escalation bug exploiting a race condition in Windows Defender’s threat remediation engine, which Microsoft patched during April’s Patch Tuesday cycle as CVE-2026-33825.
A third tool published on the same day as RedSun, UnDefend, lets an unprivileged user block Defender from receiving signature updates, silently degrading protection on the target system.
According to Huntress, all three techniques are already being used in the wild, with BlueHammer activity dating to Apr. 10 and RedSun plus UnDefend spotted on a system breached through a compromised SSLVPN account.
Protest is the stated motivation for the releases, with the researcher alleging mistreatment by the Microsoft Security Response Center during earlier disclosure attempts.
A Microsoft spokesperson told reporters the company is investigating the reported security issues and endorses coordinated disclosure as standard industry practice.
With no RedSun patch available and the next Patch Tuesday weeks away, pressure for an out-of-band fix continues to build for organizations using Microsoft Defender as their primary endpoint security control.
