RedSun: New Windows Defender Zero-Day Turns Protector into Attacker, PoC Publishes
Ddos 
Just as the cybersecurity community began digesting the latest round of patches for the high-profile “BlueHammer” vulnerability, a new storm has appeared on the horizon. On April 16, 2026, the security researcher known as Chaotic Eclipse (operating on GitHub under the alias Nightmare-Eclipse) publicly disclosed a new zero-day vulnerability in Windows Defender dubbed “RedSun.”
The disclosure is being framed as a direct rebuttal to Microsoft’s recent fix for CVE-2026-33825, the privilege escalation flaw previously discovered by the same researcher.
RedSun is an unpatched Elevation of Privilege (EoP) vulnerability that targets the very heart of Windows’ built-in security suite. While antivirus software is traditionally designed to quarantine or delete threats, RedSun exploits a logic error that forces Windows Defender to act as a delivery mechanism for malicious payloads.
According to Chaotic Eclipse, the flaw allows an attacker to gain SYSTEM or elevated administrator permissions by manipulating how Defender handles specific file metadata.
“Now, normally I would just drop the PoC code and let people figure it out. But I can’t for this one, it’s way too funny,” the researcher wrote. “I think antimalware products are supposed to remove malicious files not be sure they are there, but that’s just me.”
The vulnerability hinges on a bizarre behavior within Windows Defender’s detection engine. When the antivirus identifies a file as malicious, it typically takes steps to neutralize it. However, the researcher discovered a specific condition involving “cloud tags” that triggers a catastrophic “rewrite” behavior.
As of today, the RedSun vulnerability remains unpatched. By releasing the Proof-of-Concept (PoC) code publicly on GitHub, Chaotic Eclipse has significantly upped the ante for Microsoft’s security teams.
This move follows the researcher’s private report of the previous BlueHammer flaw, suggesting that the public release of RedSun is a response to how the previous patch was handled.
Microsoft has not yet issued a formal statement regarding the RedSun disclosure, but users are advised to monitor official security advisories closely for an emergency patch or mitigation strategy.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
