📌 RedSun - Windows Defender LPE 0day
♜When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to it's original location. The PoC abuses this behaviour to overwrite system files and gain administrative privileges.
♜Built-in antivirus Defender has a 0-day exploit called RedSun that grants full system access.
Analysts have discovered a critical flaw right at the core of Windows. The vulnerability allows any malware, RATs, and crypto drainers to silently bypass protection.
The bug supposedly works with 100% reliability on all updated builds of Windows 10, 11, and the latest server versions. And the most alarming part — there is currently no patch available.
The vulnerability lies within the protection mechanism itself. When Defender detects a virus, instead of quarantining it, it attempts to overwrite it. Hackers can manipulate file paths using NTFS links, causing the antivirus to inadvertently place the malicious file directly into a system directory and grant it maximum privileges.
🚩The RedSun exploit is reportedly already circulating on the dark web and is being actively used to target crypto users. Microsoft is still trying to address the issue, leaving millions of devices potentially at risk.
