A significant security flaw in Microsoft Defender, identified as a privilege escalation vulnerability, has been actively exploited as a zero-day threat using a publicly available proof-of-concept (PoC). Cybersecurity company Huntress has highlighted the exploitation of this vulnerability, which was patched on April 14 and is cataloged as CVE-2026-33825 with a CVSS score of 7.8.
Vulnerability Details and Initial Disclosure
The vulnerability, described by Microsoft as an elevation of privilege issue, stems from inadequate access control measures. It was publicly disclosed on April 2 by a researcher known as Chaotic Eclipse, who named the flaw BlueHammer. The researcher provided PoC exploit code on GitHub, leading to rapid interest and further development, including bug fixes and detailed documentation.
BlueHammer exploits a time-of-check to time-of-use (TOCTOU) flaw within Defender’s signature update process, enabling attackers with low-level privileges to attain System-level permissions. The initial attacks using this PoC were detected on April 10, with further activity noted on April 16.
Techniques and Exploit Mechanisms
Huntress has warned of three primary techniques published by Chaotic Eclipse: BlueHammer, RedSun, and UnDefend. BlueHammer uses operation locks to halt Defender’s functions, tricking it into copying and manipulating the Security Account Manager (SAM) database to gain unauthorized access. RedSun similarly manipulates system files to escalate privileges, while UnDefend disables Defender by controlling definition files to prevent their use.
Huntress observed that attackers utilized user-writable directories for staging attacks, with binaries often placed in low-privilege user folders. Access to the targeted environments was achieved through SSL VPN connections to FortiGate firewalls, although the attackers lacked complete understanding of the exploit mechanics.
Official Response and Security Recommendations
In response to the vulnerability, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog, urging organizations to apply necessary patches by May 6. This addition underscores the critical nature of the vulnerability and the importance of implementing timely security updates to protect systems from exploitation.
Organizations are advised to remain vigilant and ensure their cybersecurity measures are up-to-date, particularly concerning known vulnerabilities in widely used software like Microsoft Defender. Regular patching and monitoring of network activity are essential to safeguard against potential breaches.
Related warnings have been issued for other exploited vulnerabilities, such as those in Cisco, Kentico, Zimbra, Apache ActiveMQ, and various Windows and Adobe Acrobat products, emphasizing the persistent threat landscape faced by organizations worldwide.
