April 20, 2026Vulnerability Analysis

RedSun: Unpatched Windows Defender Zero-Day Grants SYSTEM Privileges via Junction Point Abuse

Executive Summary

RedSun is an actively exploited, currently unpatched Windows Defender local privilege escalation (LPE) zero-day, publicly released on April 16, 2026 by a security researcher known as "Chaotic Eclipse." The vulnerability exploits a missing reparse point (NTFS junction) validation inside MpSvc.dll — the core Windows Defender Malware Protection Engine — allowing any unprivileged user to redirect a SYSTEM-context Defender file operation into C:\Windows\System32, achieving arbitrary file write and full SYSTEM-level code execution with near-100% reliability. No patch exists as of April 20, 2026; Microsoft April 2026 Patch Tuesday updates do not remediate this flaw. Organizations should treat this as a critical threat requiring immediate compensating controls.

1. What Is This Vulnerability?

RedSun is a logic flaw in the Windows Defender Malware Protection Engine (MsMpEng.exe / MpSvc.dll). It belongs to a class of vulnerabilities known as NTFS symlink/junction abuse combined with opportunistic lock (OPLOCK) timing tricks — both using entirely legitimate, documented Windows OS primitives.

Root Cause

When Windows Defender detects a file flagged as malicious via its cloud-protection (cloud-tagging) mechanism, it performs a file restoration write — writing the file back to its original detection path as part of its remediation workflow. The critical flaw is that this write operation, executed under SYSTEM privileges by MsMpEng.exe, does not validate whether the target path has been replaced with a reparse point (junction) between detection and write-back.

The vulnerable code path resides in MpSvc.dll, specifically in the handler that manages cloud-delivered file restoration after quarantine decisions.

Exploit Chain (Step by Step)

[Attacker — Standard User]
        │
        ▼
1. Create a bait file in attacker-controlled temp directory.
   Defender detects it as malicious → begins cloud-verification workflow.
        │
        ▼
2. Register a Batch OPLOCK on the bait file path.
   This freezes Defender mid-execution at a deterministic checkpoint —
   just BEFORE the privileged file-write operation.
        │
        ▼
3. While Defender is frozen:
   - Delete the original temp directory.
   - Create an NTFS junction point at the same path,
     redirecting to C:\Windows\System32.
        │
        ▼
4. Release the OPLOCK.
   Defender resumes, follows the junction point,
   and writes the "restored" file payload into System32
   under full SYSTEM privileges.
        │
        ▼
5. Payload (e.g., a malicious DLL or EXE) is now in System32.
   Attacker triggers execution → SYSTEM shell.

Why OPLOCK Makes This Reliable

Traditional TOCTOU (Time-of-Check to Time-of-Use) races are probabilistic. RedSun uses a Batch OPLOCK as a deterministic pause: it holds Defender in a frozen state at the exact syscall boundary between path resolution and file write — turning a race condition into a controlled, sequential exploit with ~100% success rate.

Attack Vector

Access required: Local unprivileged user account (standard user, no admin rights)
Kernel exploit required: No
UAC bypass required: No
User interaction required: None (beyond running the exploit binary)
Network access required: No
Works on fully patched April 2026 systems: Yes

Real-World Impact

Threat intelligence firm Huntress documented hands-on-keyboard threat actor activity deploying RedSun in real-world intrusions starting April 16, 2026 — the same day the PoC was publicly released. RedSun is frequently paired with two companion exploits from the same researcher:

BlueHammer (CVE-2026-33825) — patched in April 2026 Patch Tuesday
UnDefend — unpatched; disrupts Defender's update mechanism to degrade protection over time

Together, this triple-exploit chain allows attackers to: (1) weaken Defender via UnDefend, (2) escalate to SYSTEM via RedSun, (3) read the SAM database and extract NTLM hashes, (4) take over local admin accounts, and (5) persist while restoring original hashes to avoid forensic detection.

2. Who Is Affected?

Component	Affected?
Windows 10 (all editions, all patch levels)	✅ Yes
Windows 11 (all editions, including 24H2)	✅ Yes
Windows Server 2019	✅ Yes
Windows Server 2022	✅ Yes
Windows Server 2025	✅ Yes
Systems with `cldapi.dll` present	Required (present on all modern Windows)
Systems with Microsoft Defender Antivirus enabled	Required
Systems using third-party AV only (Defender disabled)	❌ Not affected
Systems with April 2026 Patch Tuesday applied	✅ Still vulnerable (patch does NOT fix RedSun)

Scope: Essentially every modern Windows workstation and server with Defender enabled is vulnerable. This represents hundreds of millions of endpoints worldwide.

Privilege escalation path:

Standard User → SYSTEM

3. How to Detect It (Testing)

Manual Testing Steps

Check if Windows Defender is the active AV engine:
```
Get-MpComputerStatus | Select-Object -Property AMRunningMode, RealTimeProtectionEnabled, AntivirusEnabled
```
If AntivirusEnabled: True and AMRunningMode is Normal, the system uses Defender and is potentially at risk.
Check for cldapi.dll presence (required attack component):
```
Test-Path "C:\Windows\System32\cldapi.dll"
```
A result of True confirms the Cloud Files API is present.
Check for suspicious NTFS junction points in temp directories:
```
Get-ChildItem "$env:TEMP" -Force | Where-Object { $_.Attributes -match "ReparsePoint" }
```
Look for unexpected junction points targeting C:\Windows\System32.
Audit MsMpEng.exe file write activity: Enable Object Access auditing (see Monitoring section below) and watch for MsMpEng.exe writing files to System32 outside of update events.

Check for exploit PoC signatures on disk:

# Hunt for known RedSun PoC file patterns
Get-ChildItem -Path C:\Users -Recurse -Include "redsun*","oplock*","junction_abuse*" -Force -ErrorAction SilentlyContinue

Automated Scanning

Tool: Sysinternals Autoruns / Process Monitor (ProcMon)

Filter by Process Name = MsMpEng.exe
Filter by Operation = WriteFile
Look for write targets in C:\Windows\System32 that are NOT %ProgramData%\Microsoft\Windows Defender\*
Any write to System32 by MsMpEng outside of a Defender definition update is highly suspicious.

Tool: Velociraptor (DFIR)

Use the Windows.System.ReparsePoints artifact to enumerate all junction points system-wide
Alert on reparse points in %TEMP% or %APPDATA% directories pointing to System32

Tool: Microsoft Defender for Endpoint (MDE) / Sentinel

KQL query for detecting RedSun-like behavior:

DeviceFileEvents
| where InitiatingProcessFileName =~ "MsMpEng.exe"
| where FolderPath startswith @"C:\Windows\System32"
| where ActionType == "FileCreated" or ActionType == "FileModified"
| where not(FileName endswith ".vdm" or FileName endswith ".cld")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName
| order by Timestamp desc

Tool: Sysmon

Event ID 11 (FileCreate) with Image: C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exe and TargetFilename: C:\Windows\System32\*
Event ID 6 (Driver load) immediately following a Defender file event — may indicate payload execution

Code Review Checklist

If you maintain software that integrates with Windows Defender APIs or AV scan paths:

Verify your code does not create junction points in paths that AV engines scan
Confirm temp file paths are properly isolated from system directories
Audit any OPLOCK usage that could inadvertently create a race window with security software

4. How to Fix It (Mitigation)

⚠️ No official Microsoft patch exists as of April 20, 2026. The following are compensating controls and workarounds until a patch is released.

Step-by-Step Compensating Controls

Option A: Switch to a Third-Party Antivirus (Highest Efficacy)

Deploy a non-Microsoft endpoint security solution (e.g., CrowdStrike Falcon, SentinelOne, ESET, Trend Micro)

Once third-party AV is active and healthy, disable Windows Defender Antivirus:

# Via Group Policy (preferred for enterprise):
# Computer Configuration > Administrative Templates >
# Windows Components > Microsoft Defender Antivirus >
# Turn off Microsoft Defender Antivirus = Enabled

# Or via registry (requires admin):
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" `
  -Name "DisableAntiSpyware" -Value 1 -Type DWORD

Verify Defender is inactive:

Get-MpComputerStatus | Select-Object AntivirusEnabled
# Expected: AntivirusEnabled : False

Option B: Disable Cloud-Delivered Protection (Reduces Attack Surface)

This does not fully eliminate the risk but removes the cloud-tagging trigger that initiates the vulnerable code path.

# Disable cloud protection via PowerShell (admin required):
Set-MpPreference -MAPSReporting Disabled
Set-MpPreference -SubmitSamplesConsent NeverSend

# Or via Group Policy:
# Computer Configuration > Administrative Templates >
# Windows Components > Microsoft Defender Antivirus > MAPS >
# Join Microsoft MAPS = Disabled
# Send file samples when further analysis is required = Never Send

Option C: Block OPLOCK Abuse via Attack Surface Reduction (ASR) Enable ASR rules that can limit the behavior abused by RedSun:

# Block process creations from PSExec and WMI (reduces post-exploitation pivoting)
Add-MpPreference -AttackSurfaceReductionRules_Ids "d1e49aac-8f56-4280-b9ba-993a6d77406c" `
  -AttackSurfaceReductionRules_Actions Enabled

# Block executable files from running unless they meet a prevalence criterion
Add-MpPreference -AttackSurfaceReductionRules_Ids "01443614-cd74-433a-b99e-2ecdc07bfc25" `
  -AttackSurfaceReductionRules_Actions AuditMode

Option D: Restrict Junction Point Creation for Standard Users (Targeted Hardening) Standard users should not need to create NTFS junction points or symbolic links. Revoke this privilege:

# Via Group Policy:
# Computer Configuration > Windows Settings > Security Settings >
# Local Policies > User Rights Assignment >
# "Create symbolic links" — remove "Users" group; leave only Administrators

Option E: Endpoint Detection + Rapid Response (Detection-First) If disabling Defender is not an option, prioritize detection (see KQL/Sysmon queries above) and establish a rapid response playbook for any alert hits.

Configuration Hardening

# Harden file system permissions on System32 (belt-and-suspenders):
# Standard users should already lack write access, but audit this:
icacls C:\Windows\System32 /inheritance:d
icacls C:\Windows\System32 | findstr /i "users everyone"
# Expected: no write (W) or modify (M) rights for Users/Everyone

# Enable Windows Defender Tamper Protection (limits UnDefend companion exploit):
Set-MpPreference -EnableTamperProtection $true
# Note: This may still be bypassed by UnDefend, but raises the bar.

5. How to Test the Fix (Validation)

Regression Test Scenarios

Scenario A: Verify cloud protection is disabled (if Option B applied)
```
(Get-MpPreference).MAPSReporting
# Expected: 0 (Disabled)
```
Scenario B: Confirm standard users cannot create junction points
- Log in as a standard user
- Attempt: mklink /J C:\Temp\TestJunction C:\Windows\System32
- Expected result: Access is denied.

Scenario C: Confirm Defender is inactive (if Option A applied)

Get-MpComputerStatus | Select-Object AMRunningMode
# Expected: "Not running" or third-party AV shown

Scenario D: Verify MDE/Sentinel alerts are firing on test behavior
- Create a file in %TEMP% and create a junction from %TEMP%\testdir → C:\Windows\System32\testdir
- Expected result: Alert fires in MDE/Sentinel within detection window

Security Test Cases

Test Case 1: PoC Execution Attempt

Precondition: Compensating controls applied (Option A or B)
Steps: Run the public RedSun PoC (in an isolated VM/sandbox)
Expected Result: Exploit fails — either Defender is absent (Option A), or cloud-tag trigger doesn't fire (Option B), or junction creation is blocked (Option D)

Test Case 2: Junction Point Creation Block

Precondition: "Create symbolic links" right removed from standard users
Steps: Login as standard user; attempt mklink /J
Expected Result: Operation denied

Test Case 3: OPLOCK + Junction Combo

Precondition: ASR rules enabled (Option C)
Steps: Run a script that acquires an OPLOCK on a temp file and creates a junction on release
Expected Result: ASR audit/block event generated; no System32 file created

Automated Tests

# PowerShell Pester test — validate compensating controls
Describe "RedSun Compensating Controls" {
    It "Cloud protection should be disabled" {
        (Get-MpPreference).MAPSReporting | Should -Be 0
    }
    It "Standard user lacks junction creation rights" {
        # Run as standard user context
        $result = icacls C:\Windows\System32 | Select-String "Users.*(W|M|F)"
        $result | Should -BeNullOrEmpty
    }
    It "Defender Tamper Protection is enabled" {
        (Get-MpComputerStatus).IsTamperProtected | Should -Be $true
    }
    It "MDE is logging MsMpEng file events" {
        # Verify Sysmon is running and Event ID 11 collection is active
        (Get-Service Sysmon64 -ErrorAction SilentlyContinue).Status | Should -Be "Running"
    }
}

6. Prevention & Hardening

Best Practices

Monitor the Microsoft Security Response Center (MSRC) daily until an out-of-band patch for RedSun is released. Subscribe to MSRC alerts at https://msrc.microsoft.com/update-guide.
Apply patches immediately when released. Given the active exploitation, treat any RedSun patch as P0/emergency deployment — bypass normal change management windows.
Adopt a defense-in-depth posture. Relying solely on Windows Defender as your endpoint security layer is insufficient when Defender itself is the attack surface. Layer with EDR, network monitoring, and identity protection.
Implement least privilege rigorously. Standard users should not have SeCreateSymbolicLinkPrivilege. Audit this across your estate using:
```
Get-LocalGroupMember -Group "Users" | ForEach-Object {
  whoami /priv /fo list # Run as that user to enumerate privileges
}
```
Monitor for the UnDefend companion exploit (no CVE, also unpatched). It targets Defender's update mechanism — alert on unexpected changes to %ProgramData%\Microsoft\Windows Defender\Platform\ outside of sanctioned update windows.
Threat hunt using the IOCs below before assuming your environment is clean.

Known Indicators of Compromise (IOCs)

Type	Indicator	Notes
File path	`C:\Windows\System32\` + unexpected new EXE/DLL	RedSun payload drop
Process	`MsMpEng.exe` spawning child processes outside Defender update paths	Post-exploitation
File attribute	Junction point in `%TEMP%` pointing to `System32`	Exploit staging
Privilege	Standard user process running as `SYSTEM` unexpectedly	LPE success
Event	Sysmon ID 11 from `MsMpEng.exe` to `System32\*` (non-VDM)	Payload write

Monitoring & Detection

Windows Event Forwarding (WEF) + Sysmon configuration:

<!-- sysmonconfig excerpt — detect RedSun file write behavior -->
<RuleGroup name="RedSun Detection" groupRelation="and">
  <FileCreate onmatch="include">
    <Image condition="is">C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exe</Image>
    <TargetFilename condition="begin with">C:\Windows\System32\</TargetFilename>
  </FileCreate>
</RuleGroup>

Recommended alert thresholds:

Any MsMpEng.exe file-write to System32 outside of .vdm, .cld, .cat extensions → Critical alert, immediate investigation
Junction point creation by a non-admin process in %TEMP% pointing outside %TEMP% → High alert
New executable in System32 not matching Windows Update or Defender update hash → Critical alert

References

Vulnerability disclosure (Bleeping Computer): New Microsoft Defender "RedSun" zero-day PoC grants SYSTEM privileges
Technical deep-dive (CloudSEK): RedSun: Windows 0day when Defender becomes the attacker
Threat advisory (Blackswan Cybersecurity): RedSun Zero-Day Advisory, April 17, 2026
Triple zero-day analysis (SOCRadar): BlueHammer, RedSun, and UnDefend: Three Windows Defender Zero-Days Exploited in the Wild
CSA Research Note: Defender Triple Zero-Day: BlueHammer, RedSun, and UnDefend
Picus Security breakdown (BlueHammer + RedSun): BlueHammer & RedSun: Windows Defender CVE-2026-33825 Zero-day Vulnerability Explained
Active exploitation reporting (Cyderes): RedSun Zero-Day: When Defender Becomes the Delivery Mechanism
Microsoft MSRC (BlueHammer patch, related family): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825
CybersecurityNews coverage: Microsoft Defender 0-Day Vulnerability "RedSun" Enables Full SYSTEM Access