🎯Basically, a flaw in Microsoft Defender lets regular users take control of the system without permission.
What Happened
RedSun is a critical zero-day local privilege escalation (LPE) vulnerability found in Microsoft Defender. This flaw allows low-privileged users to gain full SYSTEM-level access on Windows systems without needing any kernel exploit or administrator interaction. The vulnerability exploits a trusted security component, making it particularly dangerous in enterprise environments where Defender runs continuously.
The Flaw
The vulnerability arises from how Microsoft Defender handles cloud-tagged files during remediation. When Defender detects a malicious file, it attempts to restore it to its original location with full SYSTEM privileges, without validating the target path. This means that a low-privileged user can manipulate the target path, allowing them to redirect SYSTEM-level file operations to locations they control.
Patch Status
Currently, there is no vendor patch available for RedSun. This leaves all Windows systems with Defender enabled vulnerable to exploitation. Traditional remediation workflows that rely on patches are insufficient in this case.
Detection and Mitigation
Organizations can use Qualys VMDR to detect exposure to the RedSun vulnerability. The detection query for affected assets is vulnerabilities.vulnerability.qid:92382. Since no patch exists, immediate mitigation is crucial. Qualys TruRisk™ Eliminate allows security teams to implement targeted mitigations without waiting for a vendor fix.
Mitigation Steps
To mitigate the RedSun vulnerability, organizations can disable the Cloud Files Mini Filter service. This action prevents the Windows Cloud Files platform from loading and blocks cloud file placeholder and on-demand file hydration functionality. By applying this mitigation, organizations can restrict OS-level cloud file system integrations, such as OneDrive Files On-Demand.
Key Outcomes
The RedSun vulnerability highlights several critical lessons for security teams:
- Patch cycles are insufficient: Zero-days require a proactive risk-based mitigation strategy.
- Trusted components are targets: Security software running at elevated privileges can be exploited and should be closely monitored.
- Unified visibility and mitigation: Organizations must act quickly and at scale to manage vulnerabilities effectively.
Conclusion
The RedSun vulnerability serves as a stark reminder that modern attackers can exploit trusted security tools. Organizations need to adopt a proactive approach to risk management, utilizing tools like Qualys VMDR and TruRisk™ Eliminate to maintain security even in the absence of vendor patches.
🔒 Pro insight: The RedSun vulnerability underscores the necessity for organizations to implement risk-based mitigation strategies that extend beyond traditional patch management.
