RedSun: System user access on Win 11/10 and Server with the April 2026 Update

2026-04-16 | original

read original more articles

Why This Matters

The RedSun vulnerability highlights a critical flaw in Windows Defender's handling of cloud-tagged files, which can be exploited to gain administrative privileges. This underscores the importance of robust security measures and vigilant updates in protecting both enterprise and consumer systems from sophisticated attacks.

Key Takeaways

RedSun exploits Windows Defender's file rewriting behavior to escalate privileges.
The vulnerability demonstrates potential risks in automated antivirus responses.
Timely updates and security patches are essential to mitigate such exploits.

RedSun

The Red Sun vulnerability repository

Now, normally I would just drop the PoC code and let people figure it out. But I can't for this one, it's way too funny. When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to it's original location. The PoC abuses this behaviour to overwrite system files and gain administrative privileges.

I think antimalware products are supposed to remove malicious files not be sure they are there but that's just me.

Explore topics: redsun windows defender system privileges malicious files april 2026 update