Don’t Wait for a Patch. Mitigate RedSun Zero-Day Risk in Microsoft Defender Today

Summary

RedSun is a critical zero-day local privilege escalation vulnerability in Microsoft Defender that allows low-privileged users to gain full SYSTEM-level access on Windows without kernel exploits or admin interaction. The flaw exploits improper handling of cloud file restoration logic in Defender's remediation process. No vendor patch is currently available, leaving all Defender-enabled Windows systems potentially exposed; mitigation involves disabling the Cloud Files Mini Filter service until a fix is released.

Full text

Table of ContentsKey characteristicsHow Does theRedSunVulnerability ExploitChain Work?How toDetectRedSunExposure with Qualys VMDRHow toMitigateRedSun With No PatchUsingTruRisk Eliminate3 Key OutcomesFrequently Asked Questions (FAQs) Key Takeaways RedSun is a critical zero-day vulnerability in Microsoft Defender that allows low-privileged users to gain SYSTEM access No patch is currently available, leaving all Defender-enabled Windows systems potentially exposed Qualys VMDR detects affected assets instantly (QID 92382) TruRisk™ Eliminate enables immediate mitigation, removing exploitability without waiting for a fix Organizations can reduce or eliminate risk in real time, with validated mitigation and TruRisk score updates RedSun is a zero-day local privilege escalation (LPE) vulnerability in Microsoft Defender. It allows a low-privileged user to gain full SYSTEM-level access on Windows without any kernel exploit or administrator interaction. What makes RedSun especially dangerous is that it weaponizes a trusted, always-on security component. Most enterprise environments have Defender running continuously, making the attack surface universal across unpatched Windows fleets. Key characteristics Vulnerability type Local Privilege Escalation (LPE) Affected component Microsoft Defender (cloud file restoration logic) Required privileges Low (standard user) Affected OS Windows 10, Windows 11, and Windows Server 2019 and later systems Patch status No vendor patch currently available Attack complexity Low — minimal prerequisites required Because no official patch exists, traditional remediation workflows fall short. This blog walks through how Qualys VMDR detects RedSun across your environment and how TruRisk™ Eliminate enables teams to deploy targeted mitigations for measurable risk reduction, even without a vendor fix. Try TruRisk Eliminate today to see how you can mitigate the RedSun vulnerability. Try TruRisk Eliminate today How Does the RedSun Vulnerability Exploit Chain Work? At its core, RedSun abuses a logic flaw in how Defender handles cloud-tagged files during remediation. When Defender detects a malicious file carrying a cloud tag, it attempts to restore the file back to its original location rather than simply quarantining or deleting it. This restore operation runs with full NT AUTHORITY\SYSTEM privileges and critically does not validate whether the target path has been tampered with. When Defender remediates a threat, it performs privileged file operations (move, delete, or restore) running as NT AUTHORITY\SYSTEM. RedSun exploits improper handling of these operations: a low-privileged user can influence the target path involved in the remediation action, redirecting SYSTEM-level file writes to attacker-controlled locations. How to Detect RedSun Exposure with Qualys VMDR Qualys VMDR provides comprehensive detection and visibility for RedSun across your entire Windows endpoint estate. Use the following QQL query to instantly surface all assets with the RedSun detection (QID 92382) in your VMDR: vulnerabilities.vulnerability.qid:92382 How to Mitigate RedSun With No Patch Using TruRisk™ Eliminate Since no patch is currently available for RedSun, mitigation becomes the primary line of defense. Waiting for a vendor fix is not an option when exploitability is low-complexity, and the attack surface spans every Windows endpoint with Defender enabled. Qualys TruRisk™ Eliminate bridges this gap by enabling security teams to deploy targeted, script-based mitigation actions directly from the VMDR platform, with no separate tooling or manual endpoint access required. Each action is designed to reduce or fully eliminate the exploitability of a specific vulnerability, and the resulting risk reduction. Mitigation for RedSun Vulnerability can include: The mitigation involves the disabling of the Cloud Files Mini Filter service, which prevents the Windows Cloud Files platform from loading and blocks cloud file placeholder and on‑demand file hydration functionality. This helps restrict OS‑level cloud file system integrations such as OneDrive Files On‑Demand. Once applied, the mitigation status for each host is immediately updated and clearly reflected in VMDR, giving security teams audit-ready proof of compensating controls. These statuses are clearly reflected in VMDR, giving teams assurance and audit-ready visibility while they prepare permanent remediation. 3 Key Outcomes RedSun is a stark reminder that modern attackers no longer need to find exotic zero-days or bypass kernel protections. They can weaponize the very security tools designed to protect your endpoints. A low-privileged user with access to a Windows machine can escalate to SYSTEM simply by abusing Defender’s own remediation behavior. This vulnerability underscores three key takeaways for security teams: Patch cycles alone are no longer sufficient. Zero-days demand a risk-based mitigation strategy that operates independently of vendor timelines. Trusted components are high-value targets. Security software running at elevated privilege is an attractive attack surface and should be treated accordingly. Visibility and mitigation must be unified. Knowing you’re vulnerable is only half the battle. The ability to act immediately at scale is what separates managed risk from unmanaged exposure. Qualys VMDR and TruRisk™ Eliminate together provide exactly that: continuous detection, quantified risk, and actionable mitigation, keeping organizations resilient even when the vendor hasn’t shipped a patch. If you already are a Qualys customer: Contact your TAM to find out how to mitigate the risk of RedSun now. New to Qualys?Sign up for a complimentary trial of TruRisk Eliminate today Start Your TruRisk Eliminate Trial Frequently Asked Questions (FAQs) What is the RedSun vulnerability? RedSun is a zero-day local privilege escalation (LPE) vulnerability in Microsoft Defender that allows a low-privileged user to gain NT AUTHORITY\SYSTEM access by exploiting flaws in the remediation workflow. Why is RedSun considered critical? It combines low attack complexity, no required privileges, and broad exposure across Windows systems running Defender—making it highly exploitable in real-world environments. Is there a patch available for RedSun? No. At the time of writing, no vendor patch is available, which makes traditional patch-based remediation ineffective. How can organizations detect RedSun exposure? Using Qualys VMDR, teams can identify affected assets with the QQL query: vulnerabilities.vulnerability.qid:92382 How can you mitigate RedSun without a patch? Using Qualys TruRisk Eliminate, teams can mitigate this vulnerability. What is TruRisk™ Eliminate and how does it help? TruRisk™ Eliminate enables teams to deploy targeted mitigation and remediation actions directly from the Qualys platform, eliminating vulnerability exploitability—even when no patch exists. Does mitigation actually reduce risk if the vulnerability still exists? Yes. While the vulnerability may still be present, effective mitigation removes its exploitability, which reduces or eliminates real-world risk. How is risk reduction validated? Each mitigation action is: Executed at scale Continuously validated Reflected in the QDS score, providing measurable and auditable proof of risk reduction Why is this important for security teams? Because threats move faster than patch cycles, teams need the ability to: Act immediately Reduce risk proactively Maintain visibility and control across all endpoints

Entities