Second Microsoft Defender zero-day PoC drops as researcher protests MSRC treatment

A researcher going by “Chaotic Eclipse” has released a proof-of-concept for “RedSun,” a local privilege escalation zero-day in Microsoft Defender that yields SYSTEM on fully patched Windows 10, 11, and Server 2019+. The exploit abuses Defender’s behavior of rewriting files flagged with a cloud tag back to their original location. By writing an EICAR payload through the Cloud Files API, winning an oplock race against a volume shadow copy, and redirecting the rewrite via a directory junction, the attacker drops their own binary at C:\Windows\system32\TieringEngineService.exe, which the Cloud Files infrastructure then executes as SYSTEM.

Tharros analyst Will Dormann independently confirmed the PoC works. Some AV engines on VirusTotal flag the executable only because of the embedded EICAR test string; encrypting that string sharply reduces detections, underscoring that the technique itself is not being caught.

RedSun is the second Defender zero-day this researcher has dumped publicly in two weeks — the prior one, “BlueHammer,” became CVE-2026-33825 and was patched in April. The researcher says they are releasing PoCs rather than coordinating disclosure because of alleged retaliatory treatment by MSRC. Microsoft’s response reiterated its standard commitment to coordinated vulnerability disclosure without addressing the specific claims.