RedSun: System user access on Win 11/10 and Server with the April 2026 Update

I wonder why Windows Defender has the privilege to alter the system files. Read them for analysis? Sure! Reset (as in, call some windows API to have it replaced with the original), why not? But being able to write sounds like a bad idea.

However, I don't know what I'm talking about so take it with a grain of salt!

cl /std:c++17 /EHsc /W4 /O2 /DUNICODE /D_UNICODE /wd4005 /Fe:RedSun.exe RedSun.cpp advapi32.lib ole32.lib user32.lib

> normally I would just drop the PoC code and let people figure it out

Looks like that's exactly what they did though?

Or maybe they just meant that they don't usually explain how it works?

A local privilege escalation to root via an exploitable service?

Doesn't Linux have one of these CVEs...each week?