← Back to all articles
Business CyberSecurity

RedSun: The Windows Vulnerability That Turns Defender Against You

On 15 April 2026, a security researcher published working exploit code on GitHub. The target was Microsoft Defender, the built-in antivirus running on every Windows machine in the country. The exploit, named RedSun, lets any standard user account on a Windows computer gain full administrative control of the machine. No admin rights needed. No phishing link. No malware download. Just already being logged in.

As of today, Microsoft has not released a patch. There is nothing in Windows Update that addresses this. If you are running Windows 10 or Windows 11 with Defender enabled, the vulnerability is present on your system right now.

What is RedSun?

RedSun is a local privilege escalation (LPE) vulnerability. That term means an attacker who already has limited access to a machine can use it to gain full control. “Limited access” means a standard user account with no special permissions. The kind of account a receptionist or junior staff member might use.

The vulnerability affects Windows 10 (Microsoft ended support in October 2025 — if it’s still running in your environment, RedSun is the least of your concerns), Windows 11, and Windows Server 2019 and later, on any machine where Microsoft Defender real-time protection is running. Since Defender is on by default and most businesses leave it enabled, the exposure is essentially universal.

What causes it?

Defender has a logic flaw in how it handles files tagged with a cloud marker via the Windows Cloud Files API. These are the placeholder files you see in OneDrive, where a file icon appears in File Explorer but the actual content has not been downloaded yet.

When Defender detects a threat in one of these cloud-tagged files, instead of simply deleting or quarantining it, it tries to restore the file to its original location. That restore operation runs with full NT AUTHORITY\SYSTEM privileges. The critical failure: it does not check whether the destination path has been tampered with.

An attacker exploits this by placing a specially crafted file and using a sequence of built-in Windows features:

The result: Defender, running as SYSTEM, writes the attacker’s file directly into C:\Windows\System32. Specifically it replaces a legitimate system binary called TieringEngineService.exe. Windows then executes that binary automatically, and the attacker has full SYSTEM-level control of the machine.

The exploit has a reported success rate of close to 100% on fully patched systems. It requires no internet connection. It takes seconds.

Has Microsoft fixed it?

No. At the time of writing (May 2026), Microsoft has not released a patch for RedSun. There is no CVE number assigned to it. There is nothing in Windows Update that addresses this vulnerability.

A related vulnerability, BlueHammer (CVE-2026-33825), was patched in the April 2026 Patch Tuesday update. That patch does not cover RedSun. RedSun was published by the same researcher ten days after BlueHammer and takes a different route to the same outcome.

The exploit code is publicly available on GitHub. Security researchers have confirmed it works. It has been exploited in real attacks, confirmed by managed detection firms including Huntress from 16 April 2026 onwards.

Check back here for updates. When Microsoft publishes a patch, it will appear in the Microsoft Security Response Center. Until then, the registry workaround below is the recommended line of defence.

The workaround: disabling the Cloud Files Mini Filter driver

The workaround disables the Cloud Files Mini Filter driver (CldFlt), the Windows component that makes cloud file placeholders work. Without this driver loaded, Defender cannot perform the cloud-tagged file restore operation that RedSun abuses. The exploit chain breaks at the first step.

This must be run from an elevated (Administrator) PowerShell session. Right-click the Start button, choose Windows PowerShell (Admin) or Terminal (Admin), and confirm the UAC prompt.

Step 1: Check the current state of the driver

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\CldFlt" -Name Start

A value of 2 means the driver loads automatically. A value of 3 means on demand. A value of 4 means disabled. You want 4.

Step 2: Disable the driver

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\CldFlt" -Name "Start" -Value 4

Step 3: Restart the machine

Restart-Computer

Step 4: Verify after restart

Get-Service -Name CldFlt | Select-Object Name, Status, StartType

StartType should report Disabled. If it does, the workaround is active and the machine is protected.

To reverse the workaround once Microsoft releases a patch:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\CldFlt" -Name "Start" -Value 2
Restart-Computer

What breaks when you apply this workaround?

OneDrive Files On-Demand

This is the main thing affected. OneDrive Files On-Demand lets you see all your OneDrive files in File Explorer without storing them locally. Files appear as placeholder icons with a cloud symbol and download when you click them.

Disabling CldFlt stops this working. Placeholder files will still appear in File Explorer but they cannot be downloaded on demand. Clicking a file that has not already been synced locally will fail to open.

Files that are already synced and stored locally are not affected. They continue to open and work normally.

If your business uses OneDrive in full sync mode (all files downloaded to the device), you will not notice a difference. If you rely on Files On-Demand, switch OneDrive to “Always keep on this device” for critical folders before applying the workaround.

Other cloud sync tools

Any application using the Windows Cloud Files API for placeholder files is affected in the same way. This includes Dropbox Smart Sync, Box Drive, and SharePoint/Teams desktop sync. Already-downloaded files work fine. Placeholder-only files cannot be opened until fully synced.

Everything else

Most business software is unaffected. The workaround does not disable OneDrive itself, and does not affect file sharing, mapped drives, email, or any other application. It only removes the cloud placeholder mechanism that the exploit depends on.

What is the risk of doing nothing?

If RedSun is left unmitigated, any user who can log in locally can take full control of the machine. In practice that means:

RedSun is also being used alongside a tool called UnDefend, which silently prevents Defender from receiving signature updates while reporting a clean status to management consoles. The combination gives an attacker a path to SYSTEM, neutralises your antivirus, and leaves an open runway for whatever comes next. The first indication is often encrypted files or a ransom demand.

This is not theoretical. Active exploitation was confirmed from 16 April 2026. Ransomware groups routinely incorporate public exploit code within days of release. That window has already closed.

What if I use a different antivirus?

If you are running a third-party antivirus product (Sophos, ESET, Bitdefender, Kaspersky, and similar) with Microsoft Defender’s real-time protection disabled, you are not directly vulnerable to RedSun in the same way. The exploit specifically requires Defender’s real-time scanner to detect the crafted file and trigger its remediation logic. Without that trigger, the attack chain cannot complete.

However, there are three caveats worth understanding before assuming you are safe:

To check whether Defender’s real-time protection is currently active on a machine, run the following in an elevated PowerShell session:

Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled, AMRunningMode

If RealTimeProtectionEnabled returns True, Defender is active and the machine is vulnerable without the workaround in place. If it returns False and AMRunningMode shows Passive or Not running, your third-party AV is handling real-time protection and the direct risk is reduced, though the workaround is still recommended.

What should you do right now?

If you manage your own machines, apply the registry workaround above to every Windows 10 and Windows 11 device in your business today. Make sure Windows is fully up to date (the April 2026 Patch Tuesday update covers the related BlueHammer vulnerability). Monitor the Microsoft Security Response Center for a dedicated RedSun patch.

If your IT is managed by someone else, contact them and ask directly: have they applied the CldFlt workaround to your machines? If they are not familiar with RedSun, that is worth taking seriously.

If you are a business in Hertfordshire and you are not sure whether your devices are protected, get in touch. This is exactly the kind of thing we deal with for our clients, and right now there are businesses running exposed machines with no idea the door is open.

← Back to all articles
Verified by MonsterInsights