Overview
- Security firm Huntress Labs reported real-world use of the RedSun exploit, with attackers also deploying the related BlueHammer and UnDefend techniques.
- RedSun lets a local attacker escalate to SYSTEM on Windows 10, Windows 11, and Windows Server that have the latest updates if Microsoft Defender is running.
- Analysts say the exploit uses the Cloud Files API and a file lock race to swap in a fake TieringEngineService.exe, which Windows then runs as SYSTEM.
- Microsoft said it is investigating and backs coordinated disclosure, and there is no RedSun patch yet while BlueHammer was fixed as CVE-2026-33825 in April.
- Researchers note some antivirus hits come from an embedded EICAR test string in the PoC, and defenders are advised to add monitoring or extra antivirus until a fix arrives.