Another Microsoft Defender Privilege Escalation Bug Emerges Days After Patch

The emergence of RedSun underscores a troubling pattern of rapid, successive flaws in Microsoft Defender, the default antivirus on most Windows machines. Just days after Microsoft addressed CVE‑2026‑33825—a privilege‑escalation bug rated 7.8—researchers published a new proof‑of‑concept that manipulates the product’s cloud‑file remediation logic. By leveraging the Cloud Files API, oplocks, and Volume Shadow Copy race conditions, the exploit forces Defender to overwrite legitimate system binaries with malicious payloads, granting attackers full SYSTEM control on affected endpoints.

Technical analysis reveals that RedSun targets the rarely scrutinized path where Defender restores cloud‑tagged files. When a file flagged as malicious carries OneDrive metadata, Defender attempts to rewrite the original file rather than delete it. The exploit times this rewrite using directory junctions and reparse points, redirecting the write operation to critical system locations. Because the attack depends on cldapi.dll—a component present on any Windows installation with cloud file support—it bypasses many traditional security controls and works reliably across Windows 10, Windows 11, and Server 2019+ platforms updated through April 2026.

For enterprises, RedSun raises immediate operational concerns. Until Microsoft issues a patch, security teams should consider disabling Defender’s cloud‑file remediation feature or deploying complementary endpoint protection platforms that can detect and block the exploit’s behavior. Monitoring for unusual file‑write activity, especially involving cldapi.dll or shadow‑copy operations, can provide early warning. The incident also highlights the broader industry lesson: reliance on a single vendor’s security suite is risky, and a defense‑in‑depth strategy remains essential for protecting critical infrastructure.