A newly disclosed zero-day exploit named RedSun (CVE-2026-33825) is actively targeting Windows systems, granting attackers full SYSTEM-level privileges by abusing a flaw in the way Microsoft Defender handles cloud-tagged files. Unlike many privilege escalation bugs, RedSun requires no elevated rights, no user interaction, and — critically — currently has no available patch. Threat actors have already been observed weaponizing it in real intrusions alongside two companion exploits, BlueHammer and UnDefend.
How RedSun Works
RedSun is a local privilege escalation (LPE) technique that exploits a design flaw in Windows Defender’s cloud file rollback mechanism. When Defender detects a file tagged for cloud storage and initiates a rollback to restore the file to its original on-disk location, it fails to validate the target write path before completing the operation.
An attacker can manipulate this behavior through a multi-step process:
- Step 1 — Trigger a Defender detection: The attacker plants a crafted file that causes Defender to flag it and initiate a cloud rollback.
- Step 2 — Substitute a cloud placeholder: Using the Windows Cloud Files API, the attacker replaces the flagged file with a cloud placeholder before Defender completes its operation.
- Step 3 — Redirect the write path: Using NTFS junction points and opportunistic file locks, the attacker intercepts Defender’s rollback write operation mid-execution and redirects the target path to a privileged system directory such as C:\Windows\System32.
- Step 4 — SYSTEM write: Defender, running with SYSTEM privileges, resumes the rollback and writes the attacker-controlled file to the redirected path — effectively overwriting a system binary and enabling SYSTEM-level code execution.
No Patch Available — Active Exploitation Confirmed
On April 16, 2026, a researcher operating under the alias Nightmare-Eclipse released a fully functional proof-of-concept exploit on GitHub. Within hours, threat actors began incorporating RedSun into active attack chains. Microsoft addressed the companion exploit BlueHammer in the April 2026 Patch Tuesday cycle, but RedSun remains unpatched as of April 28, 2026.
A third exploit, UnDefend, has also been observed in the wild. All three are being deployed together as a combined privilege escalation toolkit targeting enterprise Windows environments. Security vendors including Qualys, Picus Security, and CYDERES have published detection guidance in the absence of an official Microsoft fix.
Affected Systems
- Windows 10 (all supported editions, fully patched through April 2026 Patch Tuesday)
- Windows 11 (all supported editions)
- Windows Server 2022 and Windows Server 2025
The vulnerability persists even on systems that have applied the full April 2026 cumulative update. Patch compliance alone does not protect against this exploit.
Recommended Mitigations
While no official patch is available, organizations can reduce exposure by applying AppLocker or Windows Defender Application Control (WDAC) policies to restrict Cloud Files API usage, deploying EDR detection rules for suspicious NTFS junction creation combined with Defender process write activity, and following the mitigation guide published by Qualys. All organizations should monitor Microsoft’s Security Response Center for an emergency out-of-band patch and treat any unexpected SYSTEM-level process spawning from Defender service paths as a high-priority incident indicator.
Why This Matters
RedSun exemplifies a troubling trend of security software being weaponized as an attack vector. By targeting Defender’s own trusted, high-privilege file restoration process, attackers obtain a write primitive that is inherently difficult to block without disabling core antimalware functionality. The combination of no available patch, public PoC code, and confirmed active exploitation makes this one of the most urgent Windows security issues of 2026.