0xBlackash/CVE-2026-41091

**RedSun** is a local privilege escalation (LPE) technique (and associated PoC) abusing a link-following vulnerability in Microsoft Defender's Malware Protection Engine. It allows a low-privileged authenticated attacker to achieve **SYSTEM** privileges by tricking Defender's remediation and cloud file rollback mechanisms into writing attacker-controlled files to protected directories (e.g., `C:\Windows\System32`). ## 📋 Overview - **CVE ID**: CVE-2026-41091 - **Vulnerability Type**: Improper Link Resolution Before File Access (CWE-59 - Link Following) - **Affected Component**: Microsoft Malware Protection Engine - **Root Cause**: Defender fails to properly resolve links/junctions during cloud-tagged file remediation/rollback, allowing redirection of privileged writes. - **Impact**: Local authenticated attacker can escalate from standard user to **SYSTEM** privileges. - **Public PoC**: Released by security researcher **Nightmare-Eclipse** (part of a series including BlueHammer and UnDefend). ## 🛠️ Technical Details RedSun leverages Defender's handling of **Cloud Files API**, oplocks, directory junctions, and remediation paths (especially in `TieringEngineService.exe` / real-time scan cleanup). By placing a malicious file with cloud attributes and manipulating paths (junctions/symlinks), the exploit causes Defender (running as SYSTEM) to restore/rewrite the file into a privileged location, enabling arbitrary file write → code execution as SYSTEM. **Key Techniques**: - Cloud file tagging and rollback - Directory junctions / reparse points - Race conditions (TOCTOU-like behavior) - Hijacking of privileged Defender services ## 📊 Vulnerability Metrics | Metric | Value | |---------------------|--------------------------------| | **CVSS v3.1 Score** | **7.8 (High)** | | Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | | CWE | CWE-59 (Link Following) | | Affected Engine | ≤ 1.1.26030.3008 | | Fixed Engine | **1.1.26040.8** | | Fixed Platform | 4.18.26040.7 | | Known Exploited | Yes (CISA KEV - May 20, 2026) | ## 🗓️ Timeline - **~April 15-16, 2026**: RedSun PoC publicly released by Nightmare-Eclipse on GitHub (`Nightmare-Eclipse/RedSun`). - **April 2026**: Related BlueHammer (CVE-2026-33825) patched. - **May 19-20, 2026**: Microsoft releases patches for CVE-2026-41091 (RedSun) and related issues. - **May 20, 2026**: CISA adds to Known Exploited Vulnerabilities (KEV) catalog. - **May 21, 2026**: Widespread public reporting. ## ✅ Mitigation & Patch **Update immediately** — the vulnerability is **actively exploited**. ### How to Verify & Update # Check current Defender engine version Get-MpComputerStatus | Select-Object AMEngineVersion, AMProductVersion # Force update Update-MpEngine - **Recommended versions**: - Malware Protection Engine: **1.1.26040.8** or newer - Antimalware Platform: **4.18.26040.7** or newer **Additional Recommendations**: - Enable real-time protection and automatic updates. - Monitor for suspicious activity in `C:\Windows\System32`, Defender remediation logs, and unusual `TieringEngineService.exe` behavior. - Apply Windows Update / Defender signature updates. ## 🧪 Exploitation **Requirements**: - Low-privileged local account - Defender real-time protection enabled **Impact**: - Full SYSTEM access - Potential for persistence, credential dumping, disabling defenses, etc. **Public PoC Repository**: [0xBlackash/RedSun](https://github.com/0xBlackash/CVE-2026-41091) ## 🔗 References - [Microsoft Security Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091) - [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-41091) - [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) - Related: BlueHammer (CVE-2026-33825) and UnDefend