## https://sploitus.com/exploit?id=87D78FFE-762A-5C1B-87C3-DA181DF533E8
# ๐ก๏ธ CVE-2026-41091 - RedSun
**Microsoft Defender Elevation of Privilege Vulnerability**




**RedSun** is a local privilege escalation (LPE) technique (and associated PoC) abusing a link-following vulnerability in Microsoft Defender's Malware Protection Engine. It allows a low-privileged authenticated attacker to achieve **SYSTEM** privileges by tricking Defender's remediation and cloud file rollback mechanisms into writing attacker-controlled files to protected directories (e.g., `C:\Windows\System32`).
---
## ๐ Overview
- **CVE ID**: CVE-2026-41091
- **Vulnerability Type**: Improper Link Resolution Before File Access (CWE-59 - Link Following)
- **Affected Component**: Microsoft Malware Protection Engine
- **Root Cause**: Defender fails to properly resolve links/junctions during cloud-tagged file remediation/rollback, allowing redirection of privileged writes.
- **Impact**: Local authenticated attacker can escalate from standard user to **SYSTEM** privileges.
- **Public PoC**: Released by security researcher **Nightmare-Eclipse** (part of a series including BlueHammer and UnDefend).
> **"When Windows Defender realizes that a malicious file has a cloud tag... the antivirus decides that it is a good idea to just rewrite the file... The PoC abuses this behaviour to overwrite system files."** โ Nightmare-Eclipse
---
## ๐ ๏ธ Technical Details
RedSun leverages Defender's handling of **Cloud Files API**, oplocks, directory junctions, and remediation paths (especially in `TieringEngineService.exe` / real-time scan cleanup).
By placing a malicious file with cloud attributes and manipulating paths (junctions/symlinks), the exploit causes Defender (running as SYSTEM) to restore/rewrite the file into a privileged location, enabling arbitrary file write โ code execution as SYSTEM.
**Key Techniques**:
- Cloud file tagging and rollback
- Directory junctions / reparse points
- Race conditions (TOCTOU-like behavior)
- Hijacking of privileged Defender services
---
## ๐ Vulnerability Metrics
| Metric | Value |
|---------------------|--------------------------------|
| **CVSS v3.1 Score** | **7.8 (High)** |
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-59 (Link Following) |
| Affected Engine | โค 1.1.26030.3008 |
| Fixed Engine | **1.1.26040.8** |
| Fixed Platform | 4.18.26040.7 |
| Known Exploited | Yes (CISA KEV - May 20, 2026) |
---
## ๐๏ธ Timeline
- **~April 15-16, 2026**: RedSun PoC publicly released by Nightmare-Eclipse on GitHub (`Nightmare-Eclipse/RedSun`).
- **April 2026**: Related BlueHammer (CVE-2026-33825) patched.
- **May 19-20, 2026**: Microsoft releases patches for CVE-2026-41091 (RedSun) and related issues.
- **May 20, 2026**: CISA adds to Known Exploited Vulnerabilities (KEV) catalog.
- **May 21, 2026**: Widespread public reporting.
---
## โ Mitigation & Patch
**Update immediately** โ the vulnerability is **actively exploited**.
### How to Verify & Update
```powershell
# Check current Defender engine version
Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion
# Force update
Update-MpEngine
```
- **Recommended versions**:
- Malware Protection Engine: **1.1.26040.8** or newer
- Antimalware Platform: **4.18.26040.7** or newer
**Additional Recommendations**:
- Enable real-time protection and automatic updates.
- Monitor for suspicious activity in `C:\Windows\System32`, Defender remediation logs, and unusual `TieringEngineService.exe` behavior.
- Apply Windows Update / Defender signature updates.
---
## ๐งช Exploitation
**Requirements**:
- Low-privileged local account
- Defender real-time protection enabled
**Impact**:
- Full SYSTEM access
- Potential for persistence, credential dumping, disabling defenses, etc.
**Public PoC Repository**: [0xBlackash/RedSun](https://github.com/0xBlackash/CVE-2026-41091)
> **โ ๏ธ Note**: This is for educational and defensive purposes only. Test in isolated environments.
---
## ๐ References
- [Microsoft Security Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-41091)
- [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Related: BlueHammer (CVE-2026-33825) and UnDefend
---
## ๐ Credits
- Microsoft Security Response Center (MSRC)
- Security researchers and vendors who analyzed and reported in-the-wild activity (Huntress, Fabian Bader, etc.)
---
**Made with โค๏ธ for the security community**
*Last Updated: May 21, 2026*
```
Copy and paste this directly into a `README.md` file. It includes badges, tables, code blocks, emojis, and clear sections for maximum GitHub aesthetics and readability.