New PoC shows how Microsoft Defender can be tricked into rewriting malicious files into protected locations, enabling SYSTEM-level privilege escalation on fully patched Windows systems.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

A new unpatched proof-of-concept exploit called 'RedSun' demonstrates how Microsoft Defender can be tricked into rewriting malicious files to protected system locations, enabling SYSTEM-level privilege escalation on fully patched Windows 10, Windows 11, and Windows Server 2019+ systems. The exploit abuses Defender's handling of cloud-tagged files (e.g., OneDrive), using the Cloud Files API, oplock timing control, Volume Shadow Copy race conditions, and directory junctions to redirect where Defender writes files. Security researcher Will Dormann confirmed the exploit works ~100% reliably. This is the second Defender-based local privilege escalation issue to emerge within days, following CVE-2026-33825 patched in April's Patch Tuesday. The new vulnerability remains unaddressed, and Microsoft has not responded to comment requests.

Another Microsoft Defender privilege escalation bug emerges days after patch