RedSun vulnerability in Microsoft Defender
A security flaw in Microsoft Defender can let attackers gain elevated system privileges on Windows systems. The issue affects Windows 10, Windows 11, and Windows Server when Microsoft Defender is active.
The vulnerability, referred to as RedSun, was disclosed by security researcher Chaotic Eclipse. According to the published explanation, the flaw involves the way Microsoft Defender handles a malicious file that carries a cloud tag. Instead of simply removing the file, Defender can rewrite it back to its original location. That behavior can then be abused to overwrite system files and obtain administrative privileges.
How the exploit works
The published proof of concept describes a chain that turns Defender’s own behavior into the attack path. When the antivirus detects a malicious file with a cloud tag, it may restore that file to the original location. The exploit takes advantage of that process to replace system files.
That is the core risk here: software that is supposed to stop malicious files can, under these conditions, help place them back where they can be used to compromise the system. The result is potential admin-level access without obvious signs to the user.
A public exploit has already been released
The researcher behind RedSun did not keep the issue private. A working exploit and technical explanation were published in a GitHub repository, making the flaw easier for others to understand and potentially reproduce.
The disclosure follows an earlier incident involving the same researcher, who had also published a Windows exploit after claiming a prior report was ignored. In the RedSun case, the release was described as an act of frustration.
Why the vulnerability was disclosed publicly
The researcher tied the public release to dissatisfaction with Microsoft’s handling of vulnerability reporting. He specifically pointed to negative experiences with the Microsoft Security Response Center, the group responsible for receiving newly discovered security issues and passing them on so developers can prepare fixes.
That frustration is a major part of the story because it explains why a flaw with such broad reach was made public before a fix was available.
Affected Windows systems
The issue was identified after the latest April Patch Tuesday and impacts:
- Windows 10
- Windows 11
- Windows Server
The condition mentioned is that Microsoft Defender must be active on the affected machine.
Is it being exploited already?
There is no evidence yet that the flaw is being exploited in the wild. But that does not make it a minor issue. A published exploit lowers the barrier for attackers, and that can change the situation quickly if bad actors decide to follow the instructions already made available.
Why the RedSun flaw is serious
This vulnerability matters because it can lead to administrative privileges, which can open the door to much deeper system compromise. Once elevated access is gained, the damage can be significant and may happen without the user noticing.
Admin access raises the risk level
Administrative privileges are especially dangerous because they can allow changes to protected parts of the system. In this case, the exploit works by overwriting system files, which makes the flaw more than a routine antivirus bypass. It creates a path to direct system-level impact.
Microsoft Defender is widely used
The risk is amplified by the fact that Microsoft Defender is the built-in antivirus tool used by millions. A flaw in a default security product has a wider blast radius because it affects systems that rely on standard Windows protection without any extra setup.
Patch status and current response
At the moment, there is no announced patch for RedSun. Microsoft has not yet provided a fix that resolves the issue.
No patch available yet
That leaves affected users in an awkward spot. The vulnerability is known, the exploit details are public, and a remediation update has not been announced.
What users can do right now
Until the issue is resolved, users should consider adding another antivirus product alongside Microsoft Defender. That is the practical step suggested while waiting for a patch.
Temporary protection measures
For now, the key action is simple: do not rely only on Defender if you are concerned about exposure to this flaw. Additional antivirus coverage may help reduce risk while the issue remains unpatched.