Zero‑Day LPE in Microsoft Defender “RedSun” Grants SYSTEM Privileges on Patched Windows 10/11 and Server
What Happened – A researcher released a proof‑of‑concept exploit named “RedSun” that abuses a local‑privilege‑escalation flaw in Microsoft Defender. The bug lets an attacker overwrite system files via the Cloud Files API and gain full SYSTEM rights on Windows 10, Windows 11, and Windows Server 2019+ even after the latest Patch Tuesday updates.
Why It Matters for TPRM –
- The vulnerability resides in a core security product (Microsoft Defender) that many third‑party vendors embed in their services.
- Successful exploitation provides attackers with unrestricted control over the host, enabling further lateral movement into connected supply‑chain environments.
- The exploit is publicly available, raising the risk of opportunistic attacks against any organization that relies on the affected Defender version.
Who Is Affected – Enterprises across all sectors that run Windows 10/11 or Windows Server 2019+ with Microsoft Defender enabled; particularly SaaS providers, MSPs, and cloud‑hosting services that ship the OS as part of their offering.
Recommended Actions –
- Verify that all Windows endpoints run the latest Defender updates and monitor Microsoft security advisories for a forthcoming patch.
- Deploy compensating controls: restrict Cloud Files API usage, enforce application whitelisting, and monitor for unexpected creation of
TieringEngineService.exe. - Review third‑party contracts that include Microsoft Defender as a security control; ensure vendors have a rapid patch‑management process.
Technical Notes – The exploit leverages the Cloud Files API to write an EICAR test file, triggers an oplock race on a volume shadow copy, and redirects the rewrite to C:\Windows\system32\TieringEngineService.exe. The malicious binary then executes as SYSTEM. No CVE number has been assigned yet; the flaw is tracked internally as “RedSun”. Source: BleepingComputer