RedSun: System User Access on Win 11/10 and Server with the April 2026 Update

The RedSun vulnerability stems from an unexpected interaction between Windows Defender’s cloud‑tag feature and the operating system’s file‑write mechanisms. When Defender identifies a file marked with a cloud tag, it attempts to restore the original version from Microsoft’s cloud cache. The PoC manipulates this process, forcing Defender to rewrite a malicious payload into a protected system directory, effectively replacing trusted binaries and elevating the attacker to SYSTEM level. This behavior contradicts the intended role of antimalware software, which should quarantine or delete threats rather than re‑introduce them.

For enterprises, the impact is profound. Windows 10, Windows 11, and Server 2022 dominate corporate environments, and the April 2026 Update is already being rolled out across large fleets. A privilege‑escalation vector that leverages built‑in security tools can bypass traditional defenses, allowing silent persistence and lateral movement. Similar high‑profile flaws—such as PrintNightmare and the 2020 Windows Kernel Elevation of Privilege bug—demonstrated how core OS components can become attack surfaces, forcing organizations to reassess patch management and endpoint protection strategies.

Mitigation now hinges on rapid patch deployment and temporary workarounds. Microsoft has been urged to issue an emergency update that disables the automatic rewrite of cloud‑tagged files or adds stricter validation before restoration. In the interim, security teams should monitor Defender logs for anomalous file‑write events, enforce application whitelisting, and consider supplemental endpoint detection and response (EDR) solutions that can flag unexpected system‑file modifications. The RedSun case underscores the necessity of layered security and continuous monitoring, reminding IT leaders that even protective technologies can be weaponized if not rigorously vetted.