RedSun: Defender zero-day grants SYSTEM access on Windows

April 17, 2026 at 02:23 PM

•

1 min read

RedSun: Defender zero-day grants SYSTEM access on Windows — Photo: CyberSecurityNews

TL;DR Summary

A newly disclosed zero-day in Microsoft Defender, dubbed RedSun, lets an unprivileged user escalate to SYSTEM on patched Windows 10/11 and Windows Server 2019+ by abusing Defender’s cloud file handling. The attack rewrites a malicious file back to a system path via cldapi.dll and oplocks, overwriting a system binary in System32 (e.g., TieringEngineService.exe) and gaining full code execution as SYSTEM. CVE-2026-33825 carries a CVSS of 7.8; there is currently no patch. Security teams should monitor Defender file-write activity to System32, look for cldapi.dll-issued redirects, and apply endpoint detection until Microsoft issues a fix.

Topics:technology #cve-2026-33825 #cyber-security-news #microsoft-defender #privilege-escalation #windows #zero-day

Share this article

Microsoft Defender 0-Day Vulnerability “RedSun” Enables Full SYSTEM Access CyberSecurityNews
Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched The Hacker News
Recently leaked Windows zero-days now exploited in attacks BleepingComputer
From the BlueHammer author: New Windows zero-day grants admin rights heise online
RedSun: Windows 0day when Defender becomes the attacker CloudSEK

Reading Insights

Total Reads

Unique Readers

Time Saved

53 min

vs 54 min read

Condensed

99%

10,790 → 93 words

Want the full story? Read the original article

Read on CyberSecurityNews

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights