Zero-Day Local Privilege Escalation Exploit

Description

RedSun.exe is a publicly available proof-of-concept exploit targeting a zero-day vulnerability in Microsoft Defender that enables local privilege escalation from standard user to SYSTEM-level access on Windows systems. The exploit leverages flawed Defender remediation logic for cloud-tagged malicious files, combined with filesystem primitives to redirect high-privilege file operations. This allows attackers to overwrite protected system locations such as C:\Windows\System32 with malicious binaries, achieving arbitrary code execution as SYSTEM without requiring administrator privileges or kernel exploits. The technique is reliable, actively weaponized, and potentially unpatched in some environments, making it a critical post-exploitation tool for persistence, lateral movement, and defense evasion. Organizations should implement rapid patching, enforce least privilege principles, and deploy behavior-based detection for suspicious Defender-related file operations and privilege escalation attempts.