The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-33825, also known as BlueHammer, to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild and requiring federal agencies to remediate affected systems by May 7, 2026.
The vulnerability affects Microsoft Defender and allows a low-privileged local attacker to escalate privileges to SYSTEM, giving them full control over the compromised Windows device.
The issue was patched during April 2026 Patch Tuesday, but public proof-of-concept code was released shortly before the update by a researcher using the handle Chaotic Eclipse, increasing the likelihood of widespread weaponization.
Threat Overview
CVE-2026-33825 is a local privilege escalation vulnerability in Microsoft Defender caused by insufficient granularity of access control, allowing a low-privileged local attacker to escalate privileges to SYSTEM. According to the National Vulnerability Database, the flaw carries a CVSS score of 7.8 (High) and requires only low privileges to exploit, with no user interaction required. Successful exploitation enables full control over the affected system, allowing attackers to disable protections, dump credentials, establish persistence, and move laterally across the environment.
BlueHammer is especially dangerous as a post-compromise privilege escalation tool. It is not typically used for initial access, but once an attacker gains a foothold through phishing, stolen credentials, VPN compromise, or malware execution, the flaw can be used to rapidly elevate privileges and take control of the host.
Technical Analysis
Public technical analysis indicates the issue stems from how Microsoft Defender handles privileged file operations during malware remediation. Specifically, the vulnerability abuses a race condition involving Defender’s cleanup and replacement process for flagged files.
An attacker can trigger Defender to process a malicious or specially crafted file, then manipulate the file path during remediation so Defender performs privileged writes in unintended locations. This can lead to overwriting protected system paths and ultimately achieving SYSTEM-level execution. Because the action is performed by Defender itself, the attacker is effectively abusing a trusted security process to gain elevated access.
This makes the vulnerability particularly impactful across enterprise environments, as Microsoft Defender is widely deployed by default across Windows workstations and servers.
Observed Exploitation
Researchers identified active exploitation tied to broader intrusion activity. In one observed case, suspicious access through a FortiGate SSL VPN preceded local exploitation of the Microsoft Defender zero-days. Huntress reported evidence of hands-on-keyboard attacker behavior, suggesting operational intrusion rather than simple testing of leaked exploits. Additional suspicious infrastructure was observed across multiple regions, including activity geolocated to Russia.
BlueHammer was disclosed alongside two additional Microsoft Defender flaws:
- RedSun: another local privilege escalation vulnerability
- UnDefend: a flaw allowing standard users to disrupt Defender definition updates
Risk to Organizations
Organizations should treat BlueHammer as a high-priority remediation item because it directly supports:
- privilege escalation after phishing or credential compromise
- bypass of endpoint security controls
- credential dumping and persistence
- ransomware staging and lateral movement
- abuse of trusted administrative processes
Attackers rarely rely on a single exploit. Vulnerabilities like BlueHammer are often chained with VPN access, exposed credentials, or initial malware delivery to accelerate full environment compromise.
The KEV designation is the strongest practical signal that exploitation is active and patching should be prioritized immediately.
Recommendations
Organizations should immediately apply the April 2026 Microsoft security updates addressing CVE-2026-33825 across all supported Windows systems and verify Defender engines and platform versions are fully updated. Priority should be given to internet-facing systems, privileged user workstations, jump hosts, and servers with administrative access paths.
Security teams should also review for:
- unexpected privilege escalation activity
- suspicious Defender-related file operations
- anomalous SYSTEM process creation
- unusual use of administrative tools post-login
- suspicious VPN access preceding endpoint activity
- Defender service tampering or abnormal update failures
Threat hunting should focus on privilege escalation behavior occurring shortly after phishing, credential abuse, or remote access events, particularly where attackers may be attempting to establish persistence or disable protections.
Stay Safe. Stay Secure
OP Innovate Research Team
