Microsoft Defender Malware Protection Engine Link-Following LPE (RedSun)

VULNERABILITY OVERVIEW

An improper link resolution before file access (CWE-59) flaw in mpengine.dll allows a low-privileged local attacker to redirect Defender's elevated file writes into protected system directories, escalating to full SYSTEM privileges. Dubbed 'RedSun', the exploit was publicly released on GitHub in April 2026 by a researcher operating as Nightmare Eclipse without coordinated disclosure, and Huntress confirmed real-world exploitation in customer intrusions as early as mid-April 2026. CISA added both CVE-2026-41091 and CVE-2026-45498 to the KEV catalog on May 20, 2026, with a remediation deadline of June 3, 2026.

CVSS BREAKDOWN

CITATIONS

• → https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41091
• → https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• → https://www.techtimes.com/articles/316957/20260521/microsoft-defender-zero-days-patched-redsun-undefend-exploits-already-used-live-intrusions.htm
• → https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html