RedSun zero-day grants SYSTEM access

Microsoft Defender is supposed to be the thing stopping malware from taking over a Windows box. RedSun flips that logic around. It turns Defender itself into the step that gives an attacker SYSTEM — the highest local privilege level on Windows. And the ugly part is that this is not a kernel exploit or some weird edge case. It abuses a trusted, always-running security component on Windows 10, Windows 11, and Windows Server 2019 and later, with no vendor patch available when Qualys published its mitigation guidance on April 22. (blog.qualys.com) ### What is RedSun, exactly? RedSun is a local privilege-escalation bug in Microsoft Defender. “Local” matters — an attacker already needs code execution or a foothold as a normal user. But from there, the jump is huge: standard user to NT AUTHORITY\SYSTEM. That is enough to tamper with protected files, disable defense(blog.qualys.com)quired. (blog.qualys.com) ### Why is SYSTEM access such a big deal? On Windows, SYSTEM sits above ordinary admin in practice for many security-sensitive operations. If an attacker gets SYSTEM, they can run code in the same privilege context trusted OS services use. That means the exploit is less about “one more bug” and more about turning an in(blog.qualys.com)once this step exists. That’s why local privilege escalation bugs are so valuable in real attack chains. (blog.qualys.com) ### Where is the flaw? The bug sits in Defender’s cloud file restoration logic. When Defender detects a malicious file carrying a cloud tag, it may try to restore that file to its original location instead of just deleting or quarantining it. That restore action runs as SYSTEM. The problem, basically, is path trust. Qu(blog.qualys.com)ion. (blog.qualys.com) ### So how does the exploit work? The attacker influences the path used during Defender’s remediation flow. Defender then performs a move, delete, or restore operation with SYSTEM privileges — but against a location the attacker has redirected or controlled. That is the ladder. The exploit does not need a kernel bug be(blog.qualys.com)ackage through the staff-only door. The guard has the badge. You just picked the destination. (blog.qualys.com) ### Who is exposed? Qualys says affected systems include Windows 10, Windows 11, and Windows Server 2019 and later where Microsoft Defender is present and active. That makes the blast radius broad because Defender is the default or embedded protection layer in a huge number of enterprise and consumer Windows environmen(blog.qualys.com)s on Windows products before a patch exists — which fits the current state here. (blog.qualys.com) ### Why is this one awkward to fix operationally? Because the vulnerable component is the security product itself. Teams normally wait for a vendor patch, deploy it, and move on. Here, Qualys’ whole message is don’t wait. It published detection guidance tied to QID 92382 and pushed compensating controls because normal (blog.qualys.com) and watch telemetry closely.” (blog.qualys.com) ### What should defenders do right now? The short version is inventory, detect, mitigate, and monitor. Find Windows systems running the affected Defender path, prioritize exposed or high-risk endpoints, and apply compensating controls where possible. In Microsoft’s own tooling, zero-days can be tracked in the Defender (blog.qualys.com)ll vendor fix. (blog.qualys.com) ### Bottom line RedSun matters because it turns a defensive service into an escalation primitive. Once that happens, every low-privilege compromise gets a much cleaner route to full machine control. Until Microsoft ships a patch, this is a mitigation-and-monitoring problem — not a solved one. (blog.qualys.com)