{“lastseen”:”2026-04-22T18:29:09″,”description”:”### Key Takeaways\\n\\n * RedSun is a critical zero-day vulnerability in Microsoft Defender that allows low-privileged users to gain SYSTEM access\\n * No patch is currently available, leaving all Defender-enabled Windows systems potentially exposed\\n * Qualys VMDR detects affected assets instantly (QID 92382)\\n * TruRisk Eliminate enables immediate mitigation, removing exploitability without waiting for a fix\\n * Organizations can reduce or eliminate risk in real time, with validated mitigation and TruRisk score updates\\n\\n\\n\\n* * *\\n\\nRedSun is a zero-day local privilege escalation (LPE) vulnerability in Microsoft Defender. It allows a low-privileged user to gain full SYSTEM-level access on Windows without any kernel exploit or administrator interaction. \\n \\nWhat makes RedSun especially dangerous is that it weaponizes a trusted, always-on security component. Most enterprise environments have Defender running continuously, making the attack surface universal across unpatched Windows fleets. \\n\\n## **Key characteristics**\\n\\nVulnerability type | Local Privilege Escalation (LPE) \\n—|— \\nAffected component | Microsoft Defender (cloud file restoration logic) \\nRequired privileges | Low (standard user) \\nAffected OS | Windows 10, Windows 11, and Windows Server 2019 and later systems \\nPatch status | No vendor patch currently available \\nAttack complexity | Low \u2014 minimal prerequisites required \\n \\nBecause no official patch exists, traditional remediation workflows fall short. This blog walks through how Qualys VMDR detects RedSun across your environment and how TruRisk Eliminate enables teams to deploy targeted mitigations for measurable risk reduction, even without a vendor fix. \\n\\n* * *\\n\\n**Try TruRisk Eliminate today to see how you can mitigate the RedSun** **vulnerability**.\\n\\nTry TruRisk Eliminate today\\n\\n* * *\\n\\n## **How Does the RedSun Vulnerability Exploit Chain Work? **\\n\\nAt its core, RedSun abuses a logic flaw in how Defender handles cloud-tagged files during remediation. When Defender detects a malicious file carrying a cloud tag, it attempts to restore the file back to its original location rather than simply quarantining or deleting it. This restore operation runs with full NT AUTHORITY\\\\SYSTEM privileges and critically does not validate whether the target path has been tampered with. \\n \\nWhen Defender remediates a threat, it performs privileged file operations (move, delete, or restore) running as NT AUTHORITY\\\\SYSTEM. RedSun exploits improper handling of these operations: a low-privileged user can influence the target path involved in the remediation action, redirecting SYSTEM-level file writes to attacker-controlled locations.\\n\\n## **How to Detect RedSun Exposure with Qualys VMDR**\\n\\nQualys VMDR provides comprehensive detection and visibility for RedSun across your entire Windows endpoint estate. \\n\\n\\nUse the following QQL query to instantly surface all assets with the RedSun detection (QID 92382) in your VMDR: \\n \\n \\n vulnerabilities.vulnerability.qid:92382\\n\\n\\n\\n## **How to Mitigate RedSun With No Patch Using TruRisk Eliminate**\\n\\nSince no patch is currently available for RedSun, mitigation becomes the primary line of defense. Waiting for a vendor fix is not an option when exploitability is low-complexity, and the attack surface spans every Windows endpoint with Defender enabled. \\n \\nQualys TruRisk Eliminate bridges this gap by enabling security teams to deploy targeted, script-based mitigation actions directly from the VMDR platform, with no separate tooling or manual endpoint access required. Each action is designed to reduce or fully eliminate the exploitability of a specific vulnerability, and the resulting risk reduction. \\n\\n### Mitigation for RedSun Vulnerability can include: \\n\\nThe mitigation involves the disabling of the Cloud Files Mini Filter service, which prevents the Windows Cloud Files platform from loading and blocks cloud file placeholder and on\u2011demand file hydration functionality. This helps restrict OS\u2011level cloud file system integrations such as OneDrive Files On\u2011Demand.\\n\\n\\n\\nOnce applied, the mitigation status for each host is immediately updated and clearly reflected in VMDR, giving security teams audit-ready proof of compensating controls. These statuses are clearly reflected in VMDR, giving teams assurance and audit-ready visibility while they prepare permanent remediation.\\n\\n\\n\\n## 3 Key Outcomes\\n\\nRedSun is a stark reminder that modern attackers no longer need to find exotic zero-days or bypass kernel protections. They can weaponize the very security tools designed to protect your endpoints. A low-privileged user with access to a Windows machine can escalate to SYSTEM simply by abusing Defender\u2019s own remediation behavior.\\n\\nThis vulnerability underscores three key takeaways for security teams:\\n\\n 1. **Patch cycles alone are no longer sufficient.** Zero-days demand a risk-based mitigation strategy that operates independently of vendor timelines.\\n 2. **Trusted components are high-value targets.** Security software running at elevated privilege is an attractive attack surface and should be treated accordingly.\\n 3. **Visibility and mitigation must be unified.** Knowing you\u2019re vulnerable is only half the battle. The ability to act immediately at scale is what separates managed risk from unmanaged exposure.\\n\\n\\n\\nQualys VMDR and TruRisk Eliminate together provide exactly that: continuous detection, quantified risk, and actionable mitigation, keeping organizations resilient even when the vendor hasn\u2019t shipped a patch.\\n\\n* * *\\n\\nIf you already are a Qualys customer: \\nContact your TAM to find out how to mitigate the risk of RedSun now. \\n\\nNew to Qualys? \\nSign up for a complimentary trial of TruRisk Eliminate today\\n\\nStart Your TruRisk Eliminate Trial\\n\\n* * *\\n\\n## Frequently Asked Questions (FAQs)\\n\\n**What is the RedSun vulnerability?** \\n\\nRedSun is a zero-day local privilege escalation (LPE) vulnerability in Microsoft Defender that allows a low-privileged user to gain NT AUTHORITY\\\\SYSTEM access by exploiting flaws in the remediation workflow. \\n\\n**Why is RedSun considered critical?** \\n\\nIt combines low attack complexity, no required privileges, and broad exposure across Windows systems running Defender\u2014making it highly exploitable in real-world environments. \\n\\n**Is there a patch available for RedSun?** \\n\\nNo. At the time of writing, no vendor patch is available, which makes traditional patch-based remediation ineffective. \\n\\n**How can organizations detect RedSun exposure?** \\n\\nUsing Qualys VMDR, teams can identify affected assets with the QQL query: \\n \\n \\n vulnerabilities.vulnerability.qid:92382\\n\\n**How can you mitigate RedSun without a patch?** \\n\\nUsing Qualys TruRisk Eliminate, teams can mitigate this vulnerability. \\n\\n**What is TruRisk Eliminate and how does it help?** \\n\\nTruRisk Eliminate enables teams to deploy targeted mitigation and remediation actions directly from the Qualys platform, eliminating vulnerability exploitability\u2014even when no patch exists. \\n\\n**Does mitigation actually reduce risk if the vulnerability still exists?** \\n\\nYes. While the vulnerability may still be present, effective mitigation removes its exploitability, which reduces or eliminates real-world risk. \\n\\n**How is risk reduction validated?** \\n\\nEach mitigation action is: \\n\\n * Executed at scale\\n * Continuously validated \\n * Reflected in the QDS score, providing measurable and auditable proof of risk reduction \\n\\n\\n\\n**Why is this important for security teams?** \\n\\nBecause threats move faster than patch cycles, teams need the ability to: \\n\\n * Act immediately \\n * Reduce risk proactively \\n * Maintain visibility and control across all endpoints”,”published”:”2026-04-22T17:12:34″,”modified”:”2026-04-22T17:12:34″,”type”:”qualysblog”,”title”:”Don\u2019t\u00a0Wait for a Patch. Mitigate RedSun\u00a0Zero-Day Risk in Microsoft Defender Today”,”source”:””,”references”:””,”id”:”QUALYSBLOG:D571338800CB27456FC1CDF88B86897D”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.qualys.com\/category\/product-tech\/vulnmgmt-detection-response”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-22T18:29:09″,”description”:”### Key Takeaways\\n\\n * RedSun is a critical zero-day vulnerability in Microsoft Defender that allows low-privileged users to gain SYSTEM access\\n * No patch is…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,120,7,11,5],"class_list":["post-48815","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-qualysblog","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n