Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Critical Microsoft Defender CVE-2023-XXXXX Zero-Day Grants SYSTEM Access
CyberSecurity News

Critical Microsoft Defender CVE-2023-XXXXX Zero-Day Grants SYSTEM Access

Key Takeaways A new zero-day vulnerability, “RedSun,” affects Microsoft Defender, allowing unprivileged users to gain SYSTEM-level access. The flaw impacts fully patched Windows 10,...

Emy Elsamnoudy
Emy Elsamnoudy
April 17, 2026 3 Min Read
42 0

Key Takeaways

  • A new zero-day vulnerability, “RedSun,” affects Microsoft Defender, allowing unprivileged users to gain SYSTEM-level access.
  • The flaw impacts fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems.
  • Discovered by security researcher “Chaotic Eclipse,” this exploit currently remains unpatched by Microsoft.
  • The vulnerability leverages a logic flaw in Defender’s cloud file handling, enabling critical system file overwrites.

Unpatched Zero-Day “RedSun” Exploits Microsoft Defender for SYSTEM Access

A critical zero-day vulnerability, dubbed “RedSun,” has been uncovered in Microsoft Defender, enabling an unprivileged local user to escalate their privileges to full SYSTEM-level access. This newly disclosed flaw affects a wide range of fully patched Windows operating systems, including Windows 10, Windows 11, and Windows Server 2019 and newer versions. As of this report, no official patch has been released by Microsoft to address the vulnerability.

Table Of Content

  • Key Takeaways
  • Unpatched Zero-Day “RedSun” Exploits Microsoft Defender for SYSTEM Access
  • How the RedSun Exploit Functions
  • What You Should Do

RedSun represents the second zero-day exploit revealed within a two-week period in April 2026 by the prominent security researcher known as “Chaotic Eclipse,” who also operates under the alias “Nightmare-Eclipse” on GitHub.

The first exploit, named BlueHammer, targeted a distinct local privilege escalation (LPE) vulnerability within Microsoft Defender, identified as CVE-2026-33825. Microsoft addressed BlueHammer as part of its April 2026 Patch Tuesday updates.

While RedSun shares a similar goal of privilege escalation, it introduces an entirely novel and independent attack vector. This suggests that the architectural underpinnings of Microsoft Defender may harbor deeper vulnerabilities beyond isolated flaws.

How the RedSun Exploit Functions

The core of the RedSun exploit lies in an unexpected logic flaw within Windows Defender’s cloud file handling mechanism. Ironically, when Defender identifies a malicious file marked with a cloud tag, instead of simply isolating or deleting it, the system attempts to rewrite the file back to its original location. RedSun weaponizes this peculiar behavior through a multi-step attack chain:

  • An attacker initiates the process by writing an EICAR test file to the filesystem using the Windows Cloud Files API (cldapi.dll).
  • An opportunistic lock (oplock) is then employed to momentarily halt Defender’s file restoration process mid-operation.
  • During this pause, the attacker manipulates NTFS directory junctions and reparse points to redirect the target write path to C:WindowsSystem32.
  • When Defender resumes its operation, it follows the newly redirected path and overwrites a critical system binary, such as TieringEngineService.exe, with its inherent SYSTEM-level privileges.
  • Finally, the attacker executes the compromised binary, thereby achieving full SYSTEM-level code execution.

Independent security researcher Will Dormann, who serves as a principal vulnerability analyst at Tharros, has independently verified the reliability of this exploit. His tests confirm its effectiveness on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems.

Any Windows system running with Windows Defender enabled and possessing the cldapi.dll component is potentially susceptible. This includes:

  • Windows 10 (all supported versions)
  • Windows 11 (all supported versions)
  • Windows Server 2019, 2022, and 2025

The exploit demonstrates approximately 100% reliability, even against systems updated with the latest April 2026 patches, posing a significant threat, particularly within enterprise environments.

While sharing a CVE identifier with the previously patched BlueHammer vulnerability, CVE-2026-33825, RedSun represents a distinct attack vector. The vulnerability carries a CVSS score of 7.8 (High) and is categorized under CWE: Insufficient Granularity of Access Control. Its MITRE ATT&CK mapping aligns with Privilege Escalation (TA0004).

Although the full Proof-of-Concept (PoC) code for RedSun has not been publicly released by the researcher, the detailed exploit methodology has been documented on GitHub.

What You Should Do

  • Until Microsoft releases an official patch, security teams should actively monitor for any anomalous file write activity originating from Defender, especially operations involving cldapi.dll that target the C:WindowsSystem32 directory.
  • Implement endpoint detection and response (EDR) rules to flag and alert on file redirection behaviors that are indicative of oplock-assisted attacks.
  • While no direct mitigation is available, consider reviewing and hardening configurations related to cloud file synchronization and Defender’s interaction with the filesystem, if feasible without impacting critical operations.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerabilityzero-day

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Critical Flaws in EU Age Verification App Expose User Data

Next Post

Attackers Target Trucking and Freight Firms to Steal Cargo

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us