New Microsoft Defender "RedSun" zero-day PoC grants SYSTEM privileges

What happened?

It has been reported that a proof-of-concept exploit called "RedSun" targeting Microsoft Defender was published online and allegedly allows an attacker to escalate privileges to SYSTEM on affected Windows hosts. The discovery, first covered by BleepingComputer, has set off alarms in the security community — and for good reason. A PoC that grants SYSTEM is not a minor footnote; it's the kind of tool that can turn a single foothold into full control.

Why it matters

SYSTEM privileges are the crown jewel for an attacker. With them, persistence, kernel-level manipulation, and wide-reaching data access become far easier. Are Windows endpoints suddenly sitting ducks? Not necessarily — but the appearance of an exploit-capable PoC removes much of the friction for exploitation. It has been reported that defenders now face the twin tasks of assessing exposure and preparing containment while the vendor and researcher sort out disclosure details.

What to do

Until Microsoft issues guidance or a patch, treat this as high risk. Audit Defender telemetry, hunt for suspicious modifications, and apply standard hardening: limit administrative accounts, ensure endpoint detection and response is monitoring, and block untrusted code execution where possible. Remember: patching and signatures are only part of the picture. Defense-in-depth wins the day.

This episode is another reminder of a trend we've seen before — research and PoCs move fast, sometimes faster than mitigations. Will Microsoft respond quickly? Time will tell. For now, security teams should assume the worst and act like it.

Sources: bleepingcomputer