Security researchers have disclosed a critical vulnerability dubbed RedSun that affects Windows 11, Windows 10, and Windows Server systems. The flaw exploits Windows Defender's handling of cloud-tagged malicious files, where the antivirus ironically restores rather than removes detected threats. This behavior allows attackers to overwrite critical system files and escalate privileges to administrative levels.

The vulnerability stems from Defender's cloud-based scanning mechanism, which incorrectly treats certain tagged files as benign. When malicious code is flagged with specific cloud indicators, the security software attempts to restore the file to its original location instead of quarantining it. This creates a dangerous opportunity for privilege escalation attacks.

Security experts warn that this represents a fundamental flaw in how Windows Defender processes cloud-tagged threats. The irony of an antimalware product inadvertently aiding attackers by restoring malicious files has raised serious questions about the reliability of cloud-based security scanning. Organizations running affected Windows versions should monitor for patches addressing this issue.