Second Microsoft Defender Zero-Day in Two Weeks
A security researcher using the handle "Chaotic Eclipse" has published a proof-of-concept (PoC) exploit for a new Microsoft Defender zero-day vulnerability dubbed "RedSun" — the second Defender zero-day released by the same researcher in the past two weeks. The vulnerability allows a local attacker to escalate privileges to SYSTEM on affected Windows systems.
The researcher published the PoC exploit publicly without coordinated disclosure, citing frustration with how Microsoft interacts with independent security researchers. The previous zero-day published by Chaotic Eclipse, "BlueHammer," was similarly released without Microsoft having a patch ready, and security teams are now tracking both unpatched attack paths.
What the RedSun Vulnerability Does
According to the published PoC and researcher writeup, RedSun exploits a flaw in how Microsoft Defender's core antivirus service handles certain operations at elevated privilege levels. By triggering a specific code path within the Defender service — which runs as SYSTEM — an attacker with limited local access can:
- Cause the vulnerable Defender service code path to execute attacker-controlled code
- Inherit the SYSTEM security context of the Defender service process
- Achieve full operating system control — adding accounts, disabling security controls, or installing persistence mechanisms
The attack requires local access to the target machine but does not require any existing administrative privileges. This makes it particularly attractive as a second-stage payload after an initial low-privilege compromise.
Researcher's Protest Motivation
Chaotic Eclipse has been vocal about the motivations behind the public releases. In a statement accompanying the RedSun disclosure, the researcher indicated that Microsoft's vulnerability reward program and researcher communication process were the target of the protest, citing:
- Delayed acknowledgment of submitted vulnerabilities
- Inadequate compensation for high-severity research
- Dismissive treatment of researchers who identify systemic security issues
This type of protest disclosure — sometimes called a "full drop" — bypasses coordinated vulnerability disclosure (CVD) norms and immediately creates risk for the Windows ecosystem. Security researchers and vendors broadly disagree on whether this practice is ethical, even in cases of genuine researcher mistreatment.
Risk Assessment
| Factor | Assessment |
|---|---|
| Exploit Type | Privilege Escalation to SYSTEM |
| Access Required | Local (authenticated, low-privilege) |
| PoC Available | Yes — publicly released |
| Patch Available | No — zero-day, no patch from Microsoft |
| Complexity | Low — PoC is functional and documented |
| Windows Versions Affected | Under investigation — presumed broad Windows 10/11 impact |
Because a working PoC is now publicly available, threat actors and automated exploit frameworks are likely to incorporate RedSun in post-exploitation toolkits in the near term.
Microsoft Response
At the time of publication, Microsoft had not released a patch for the RedSun vulnerability. The company is presumed to be investigating both RedSun and the previously disclosed BlueHammer. Security teams should treat both as active unpatched risks until Microsoft issues guidance or out-of-band patches.
Microsoft's Security Response Center (MSRC) has generally indicated that it investigates all disclosed vulnerabilities regardless of disclosure method, but the public availability of working PoC code accelerates the window before active exploitation begins.
Recommended Mitigations
Until Microsoft releases an official patch, defenders should consider:
- Limit local access to sensitive systems — reduce the population of users who can log in locally or via RDP on high-value targets
- Monitor for SYSTEM process creation from unusual parent processes (Defender-related process spawning unexpected children)
- Implement Privileged Access Workstations (PAWs) for administrative functions, reducing attacker ability to pivot through compromised low-privilege sessions
- Deploy EDR behavioral detections for privilege escalation patterns, particularly those involving Windows Defender service processes
- Block execution of publicly known PoC hashes where endpoint protection allows custom blocklist rules
Context: The BlueHammer Connection
This is the second zero-day from Chaotic Eclipse in rapid succession. The original BlueHammer zero-day, also targeting Windows and previously reported on CosmicBytez Labs, set the pattern for this protest campaign. Security teams that have been tracking BlueHammer should now also add RedSun indicators to their monitoring posture.
References
- BleepingComputer: New Microsoft Defender "RedSun" Zero-Day PoC Grants SYSTEM Privileges
- Microsoft Security Response Center (MSRC)
- CosmicBytez Labs: BlueHammer Zero-Day Coverage
Published by CosmicBytez Labs — labs.cosmicbytez.ca