Share
## https://sploitus.com/exploit?id=87D78FFE-762A-5C1B-87C3-DA181DF533E8
# ๐Ÿ›ก๏ธ CVE-2026-41091 - RedSun




**Microsoft Defender Elevation of Privilege Vulnerability**

![Severity](https://img.shields.io/badge/Severity-High-critical?style=flat-square) 
![CVSS](https://img.shields.io/badge/CVSS-7.8-red?style=flat-square) 
![Status](https://img.shields.io/badge/Status-Patched-success?style=flat-square) 
![Exploited](https://img.shields.io/badge/Exploited%20in%20the%20Wild-Yes-important?style=flat-square)



**RedSun** is a local privilege escalation (LPE) technique (and associated PoC) abusing a link-following vulnerability in Microsoft Defender's Malware Protection Engine. It allows a low-privileged authenticated attacker to achieve **SYSTEM** privileges by tricking Defender's remediation and cloud file rollback mechanisms into writing attacker-controlled files to protected directories (e.g., `C:\Windows\System32`).

---

## ๐Ÿ“‹ Overview

- **CVE ID**: CVE-2026-41091
- **Vulnerability Type**: Improper Link Resolution Before File Access (CWE-59 - Link Following)
- **Affected Component**: Microsoft Malware Protection Engine
- **Root Cause**: Defender fails to properly resolve links/junctions during cloud-tagged file remediation/rollback, allowing redirection of privileged writes.
- **Impact**: Local authenticated attacker can escalate from standard user to **SYSTEM** privileges.
- **Public PoC**: Released by security researcher **Nightmare-Eclipse** (part of a series including BlueHammer and UnDefend).

> **"When Windows Defender realizes that a malicious file has a cloud tag... the antivirus decides that it is a good idea to just rewrite the file... The PoC abuses this behaviour to overwrite system files."** โ€” Nightmare-Eclipse

---

## ๐Ÿ› ๏ธ Technical Details

RedSun leverages Defender's handling of **Cloud Files API**, oplocks, directory junctions, and remediation paths (especially in `TieringEngineService.exe` / real-time scan cleanup). 

By placing a malicious file with cloud attributes and manipulating paths (junctions/symlinks), the exploit causes Defender (running as SYSTEM) to restore/rewrite the file into a privileged location, enabling arbitrary file write โ†’ code execution as SYSTEM.

**Key Techniques**:
- Cloud file tagging and rollback
- Directory junctions / reparse points
- Race conditions (TOCTOU-like behavior)
- Hijacking of privileged Defender services

---

## ๐Ÿ“Š Vulnerability Metrics

| Metric              | Value                          |
|---------------------|--------------------------------|
| **CVSS v3.1 Score** | **7.8 (High)**                 |
| Vector              | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CWE                 | CWE-59 (Link Following)        |
| Affected Engine     | โ‰ค 1.1.26030.3008               |
| Fixed Engine        | **1.1.26040.8**                |
| Fixed Platform      | 4.18.26040.7                   |
| Known Exploited     | Yes (CISA KEV - May 20, 2026)  |

---

## ๐Ÿ—“๏ธ Timeline

- **~April 15-16, 2026**: RedSun PoC publicly released by Nightmare-Eclipse on GitHub (`Nightmare-Eclipse/RedSun`).
- **April 2026**: Related BlueHammer (CVE-2026-33825) patched.
- **May 19-20, 2026**: Microsoft releases patches for CVE-2026-41091 (RedSun) and related issues.
- **May 20, 2026**: CISA adds to Known Exploited Vulnerabilities (KEV) catalog.
- **May 21, 2026**: Widespread public reporting.

---

## โœ… Mitigation & Patch

**Update immediately** โ€” the vulnerability is **actively exploited**.

### How to Verify & Update

```powershell
# Check current Defender engine version
Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion

# Force update
Update-MpEngine
```

- **Recommended versions**:
  - Malware Protection Engine: **1.1.26040.8** or newer
  - Antimalware Platform: **4.18.26040.7** or newer

**Additional Recommendations**:
- Enable real-time protection and automatic updates.
- Monitor for suspicious activity in `C:\Windows\System32`, Defender remediation logs, and unusual `TieringEngineService.exe` behavior.
- Apply Windows Update / Defender signature updates.

---

## ๐Ÿงช Exploitation

**Requirements**:
- Low-privileged local account
- Defender real-time protection enabled

**Impact**:
- Full SYSTEM access
- Potential for persistence, credential dumping, disabling defenses, etc.

**Public PoC Repository**: [0xBlackash/RedSun](https://github.com/0xBlackash/CVE-2026-41091)

> **โš ๏ธ Note**: This is for educational and defensive purposes only. Test in isolated environments.

---

## ๐Ÿ”— References

- [Microsoft Security Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-41091)
- [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Related: BlueHammer (CVE-2026-33825) and UnDefend

---

## ๐Ÿ‘ Credits

- Microsoft Security Response Center (MSRC)
- Security researchers and vendors who analyzed and reported in-the-wild activity (Huntress, Fabian Bader, etc.)

---

**Made with โค๏ธ for the security community**

*Last Updated: May 21, 2026*
```

Copy and paste this directly into a `README.md` file. It includes badges, tables, code blocks, emojis, and clear sections for maximum GitHub aesthetics and readability.