All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Windows Defender Vulnerability Allows Malicious File Persistence Through Cloud Tag Detection

By

airhangerf15

1mo ago· 1 min readenCode
Bagel score 46 of 100
46/100
Doughy
Bagelometer

A touch underbaked. Edible, but you'll want a strong coffee alongside.

Score46TypeanalysisSentimentnegative

Summary

The article describes a GitHub repository called 'RedSun' that documents a Windows Defender vulnerability. The vulnerability involves Windows Defender's behavior when detecting malicious files with cloud tags - instead of removing them, it rewrites the file to its original location. This behavior can be exploited to overwrite system files and gain administrative privileges. The author finds the vulnerability particularly amusing due to the irony of antivirus software ensuring malicious files remain present.

Key quotes

· 3 pulled
When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that's supposed to protect decides that it is a good idea to just rewrite the file it found again to it's original location.
The PoC abuses this behaviour to overwrite system files and gain administrative privileges.
I think antimalware products are supposed to remove malicious files not be sure they are there
Snippet from the RSS feed
The Red Sun vulnerability repository. Contribute to Nightmare-Eclipse/RedSun development by creating an account on GitHub.

You might also wanna read

Microsoft threatens legal action over unpatched Windows zero-day disclosures

Microsoft is threatening legal action against security researchers who publicly disclose unpatched Windows zero-day vulnerabilities. The com

heise.de·2d ago

VS Code Remote-SSH Vulnerability Enables Lateral Movement from Developer Machines to Cloud Servers

A critical vulnerability in Visual Studio Code's Remote-SSH extension creates a post-compromise attack path enabling threat actors to pivot

cybersecuritynews.com·2d ago

Microsoft threatens security researcher with criminal prosecution over public disclosure of Windows vulnerabilities, sparking community backlash

Microsoft published a blog post criticizing security researcher "Nightmare Eclipse" for publicly disclosing unpatched vulnerabilities (BlueH

thenextweb.com·1d ago

Nightmare-Eclipse: Rogue researcher releases six Windows zero-day exploits since April 2026

Nightmare-Eclipse is a rogue security researcher who has released six Microsoft Windows zero-day exploits (BlueHammer, RedSun, UnDefend, Yel

blog.barracuda.com·3d ago