Windows Defender exploited by RedSun zero-day to gain system-level access and bypass security defenses

A critical zero-day vulnerability known as RedSun has exposed a dangerous flaw in Windows Defender, turning a trusted security tool into a potential attack vector. Instead of removing malicious files, the flaw allows Defender to rewrite flagged files back to their original location when certain cloud tags are present. Attackers can abuse this behavior to overwrite system files and escalate privileges, ultimately gaining full SYSTEM-level access to compromised machines.

Windows Defender exploited by RedSun zero-day to gain system-level access and bypass security defensesWindows Defender exploited by RedSun zero-day to gain system-level access and bypass security defenses

What makes this vulnerability particularly alarming is that it does not require administrative access to begin with. Threat actors can exploit RedSun to silently take control of systems, steal credentials, and move laterally across networks. Because the attack leverages legitimate Windows processes, it can easily bypass traditional antivirus defenses that rely on known signatures or basic detection techniques. With multiple variants still unpatched, organizations relying solely on default protection are at significant risk.

This is where advanced, behavior-based security becomes essential. NPAV EPS uses Zero Deep Learning AI to detect suspicious behavior, zero-day attacks, and privilege escalation attempts before they cause damage — even when attackers exploit trusted Windows tools like Defender itself. By focusing on real-time behavior analysis instead of just known threats, NPAV ensures proactive protection against evolving cyberattacks that traditional solutions fail to stop.


 Don't trust a single layer. Upgrade to NPAV EPS — Because your Defender can't defend itself.