A critical zero-day vulnerability in Microsoft Defender, dubbed RedSun, is raising serious concerns across enterprise security teams.
Unlike typical threats, this one doesn’t rely on malware downloads or phishing emails. Instead, it abuses trusted system behavior to escalate privileges from a standard user to full SYSTEM-level access—on fully patched systems.
Even more alarming?
👉 There is currently no patch available.
For CISOs, SOC analysts, and security engineers, this represents a high-risk scenario where endpoint protection itself becomes the attack surface.
In this article, we’ll break down:
- What the RedSun zero-day is
- How the exploit works step-by-step
- Affected systems and real-world risks
- Detection strategies and mitigation steps
What Is the RedSun Zero-Day Vulnerability?
The RedSun zero-day is a local privilege escalation (LPE) vulnerability in Microsoft Defender that allows attackers to gain SYSTEM-level privileges.
Key Facts
- Affects:
- Windows 10
- Windows 11
- Windows Server 2019, 2022, 2025
- Works on fully patched systems
- No official patch available yet
- High reliability (~100% success rate)
Why RedSun Is So Dangerous
1. Exploits Trusted Security Software
- Targets Microsoft Defender itself
- Bypasses traditional trust boundaries
2. Full SYSTEM Access
- Highest privilege level in Windows
- Complete control over the system
3. No Patch Available
- Leaves organizations exposed
- Requires proactive defense strategies
4. High Reliability
- Works consistently across environments
- Not dependent on complex conditions
How the RedSun Exploit Works
The vulnerability lies in Defender’s cloud file handling logic.
Step-by-Step Attack Chain
1. Malicious File Creation
- Attacker writes an EICAR test file using:
- Windows Cloud Files API (
cldapi.dll)
- Windows Cloud Files API (
2. Trigger Defender Detection
- Defender detects the file as malicious
- Attempts to restore or rewrite it
3. Oplock Manipulation
- Attacker uses an opportunistic lock (oplock)
- Pauses Defender mid-operation
4. Path Redirection
- Uses:
- NTFS junctions
- Reparse points
- Redirects file path to:
C:\Windows\System32
5. Privileged File Overwrite
- Defender resumes operation
- Writes file with SYSTEM privileges
- Overwrites critical system binary
6. Code Execution
- Attacker executes modified binary
- Gains full SYSTEM access
Technical Concepts Explained
Opportunistic Locks (Oplocks)
- Allow control over file access timing
- Used here to manipulate Defender behavior
NTFS Reparse Points
- Redirect file system paths
- Enable stealthy file write redirection
Cloud Files API (cldapi.dll)
- Manages cloud-backed file operations
- Central to exploit execution
Affected Systems
All systems with:
- Microsoft Defender enabled
cldapi.dllpresent
Impacted Platforms
- Windows 10 (all supported versions)
- Windows 11 (all supported versions)
- Windows Server 2019+
MITRE ATT&CK Mapping
- Tactic: Privilege Escalation (TA0004)
- Technique: Exploitation for Privilege Escalation
Risk Impact Analysis
| Risk Area | Impact Level |
|---|---|
| Privilege Escalation | High |
| Endpoint Compromise | Critical |
| Detection Difficulty | High |
| Patch Availability | None |
Real-World Implications
Enterprise Risk
- Attackers can:
- Disable security controls
- Deploy ransomware
- Maintain persistence
SOC Visibility Challenges
- Activity originates from trusted processes
- Difficult to detect with signature-based tools
Lateral Movement Potential
- SYSTEM access enables:
- Credential dumping
- Network pivoting
Common Misconceptions
❌ “Fully patched systems are safe”
- RedSun works on fully updated systems
❌ “Defender protects against everything”
- Even security tools can have vulnerabilities
❌ “Privilege escalation requires admin access”
- RedSun works from unprivileged user context
Detection Strategies
Security teams should monitor for:
1. Suspicious File Writes
- Activity involving:
cldapi.dll- Writes to
C:\Windows\System32
2. Oplock Abuse
- Unusual file locking behavior
3. Binary Modification
- Unexpected changes to system executables
4. Privilege Escalation Indicators
- Sudden elevation to SYSTEM
Mitigation Strategies (Until Patch Is Released)
1. Implement Behavioral Detection
- Focus on:
- File system anomalies
- Privilege escalation patterns
2. Restrict File System Redirection
- Monitor NTFS junction usage
3. Harden Endpoint Security
- Limit execution permissions
- Apply least privilege principles
4. Use EDR/XDR Solutions
- Detect abnormal process behavior
- Monitor Defender interactions
5. Monitor Critical Directories
- Alert on changes in:
System32- Protected binaries
Framework Alignment
NIST Cybersecurity Framework
- Detect: Monitor anomalies
- Respond: Contain escalation
- Protect: Harden endpoints
ISO 27001
- A.12 – Change management
- A.9 – Access control
Expert Insight: When Security Tools Become Attack Vectors
RedSun highlights a critical evolution in threat landscape:
Attackers are targeting the tools designed to stop them.
Strategic Takeaways
- Trust assumptions must be re-evaluated
- Behavioral detection is essential
- Zero trust must extend to endpoints
FAQs
1. What is the RedSun vulnerability?
A zero-day in Microsoft Defender enabling SYSTEM-level privilege escalation.
2. Is there a patch available?
No, the vulnerability remains unpatched.
3. Which systems are affected?
Windows 10, Windows 11, and Windows Server 2019+.
4. How severe is the vulnerability?
High severity (CVSS 7.8) with full system compromise potential.
5. Can antivirus detect it?
Traditional signature-based tools may struggle to detect it.
6. What should organizations do now?
Implement behavioral monitoring and restrict suspicious file operations.
Conclusion
The RedSun zero-day vulnerability is a stark reminder that even trusted security tools can become attack surfaces.
Key Takeaways
- Privilege escalation risks are evolving
- Fully patched systems are not immune
- Behavioral detection is critical
Organizations must act now to strengthen monitoring and detection capabilities—before attackers exploit this gap at scale.
