A newly discovered vulnerability in Microsoft Defender allows attackers to escalate privileges to SYSTEM level through local exploitation. This issue arises from the antivirus tool's handling of cloud-tagged files, which can be manipulated to overwrite protected system files. A proof-of-concept exploit, dubbed "RedSun," has been demonstrated by a researcher, showcasing the potential for abuse. This vulnerability is particularly concerning given that it was disclosed just days after Microsoft patched a high-severity issue in Windows Defender through April's Patch Tuesday1. The fact that another vulnerability has emerged so quickly raises questions about the effectiveness of Microsoft's patching process. This matters to security practitioners because it highlights the need for continuous monitoring and testing of critical security tools, even after patches have been applied, to ensure that newly introduced vulnerabilities are quickly identified and addressed.
Another Microsoft Defender privilege escalation bug emerges days after patch
⚡ High Priority
Why This Matters
Days after Microsoft patched a high-severity issue affecting its Windows Defender antivirus tool through April’s Patch Tuesday, researchers warn of another vulnerability that.
References
- CSO Online. (2026, April 17). Caught, quarantined, re-installed: RedSun turns Microsoft Defender on itself. CSO Online. https://www.csoonline.com/article/4160275/caught-quarantined-re-installed-redsun-turns-microsoft-defender-on-itself.html
Original Source
CSO Online
Read original →