CWE-1220 does map to "Insufficient Granularity of Access Control," so that link is legitimate general-knowledge background. Here is the clean, body-only output:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has set a two-week deadline for federal agencies to harden their Windows fleets against an actively exploited Microsoft Defender privilege-escalation flaw. Tracked as CVE-2026-33825 and nicknamed "BlueHammer," the bug lets a low-privileged local attacker climb to SYSTEM on unpatched machines. Microsoft shipped a fix in its April 14 Patch Tuesday release, but only after proof-of-concept code surfaced publicly while the issue was still a zero-day.
What the BlueHammer flaw does
CVE-2026-33825 is a high-severity local privilege-escalation vulnerability in Microsoft Defender. According to Microsoft's advisory, the root cause is an insufficient granularity of access control weakness — Defender enforces permissions too coarsely, which an authorized (already-logged-in) attacker can abuse to elevate privileges locally. In practice, that means a user with only standard, low-privilege access on a Windows endpoint can leverage the flaw to obtain full SYSTEM rights, the most powerful local account on the system.
The CVE record is published at cve.org and mirrored to the National Vulnerability Database.
A disclosure that went sideways
The vulnerability picked up its "BlueHammer" name from a researcher operating under the handle "Chaotic Eclipse." Roughly a week before Microsoft's April 14 patch, the researcher went public with working proof-of-concept exploit code — a deliberate protest, they said, against how the Microsoft Security Response Center (MSRC) had handled the coordinated disclosure.
BlueHammer wasn't the only issue dropped. Chaotic Eclipse also detailed two additional Defender weaknesses:
- RedSun — a second Microsoft Defender privilege-escalation flaw.
- UnDefend — a bug that a plain standard user can trigger to block Defender from receiving definition (signature) updates, effectively starving the antivirus of its latest detections.
Because none of the three had an official fix at the moment they were leaked, all of them met Microsoft's definition of a zero-day.
Evidence of real-world, hands-on-keyboard attacks
On April 16, researchers at Huntress Labs reported that attackers were already abusing these zero-days in the wild. The telemetry pointed to "hands-on-keyboard threat actor activity" rather than isolated proof-of-concept testing — in other words, a live operator working through a compromised environment as part of a larger intrusion. Huntress also tied the activity to suspicious FortiGate SSL VPN access in the affected environment, including a source IP geolocated to Russia.
CISA's KEV mandate
CISA responded by adding BlueHammer to its Known Exploited Vulnerabilities (KEV) Catalog. That listing triggers Binding Operational Directive obligations: Federal Civilian Executive Branch (FCEB) agencies were ordered to patch CVE-2026-33825 within two weeks, with a remediation deadline of May 7.
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned.
While the KEV deadline is binding only on federal civilian agencies, CISA's catalog is widely treated as a prioritization signal across the private sector as well.
A related privilege-escalation warning
BlueHammer landed a week after CISA flagged another actively exploited local privilege-escalation issue: CVE-2025-60710, a Windows Task Host vulnerability that hands attackers SYSTEM privileges on unpatched Windows 11 and Windows Server 2025 systems. Like BlueHammer, it was confirmed as being exploited in the wild.
Technical background: local privilege escalation and access-control granularity
The following is general background on this class of bug and does not describe BlueHammer-specific exploitation details, which were not published here.
"Insufficient granularity of access control" (CWE-1220) describes a system that makes authorization decisions at too coarse a level — for example, gating an entire operation behind a single broad check instead of validating each sensitive sub-action. Security software like Defender is an especially valuable target because its service components typically run with the highest local privileges (SYSTEM). If a low-privileged user can influence what those components do — by writing to a path the service trusts, manipulating an IPC channel, or exploiting a race in how the service handles a resource — the attacker can borrow the service's privilege level.
Local privilege escalation is rarely the entry point of an intrusion. Attackers usually arrive through some other vector (here, the reporting points to VPN access), land as a normal user, and then chain a local EoP bug to seize SYSTEM, disable defenses, and move laterally. Defenders can reduce exposure with steps such as:
# Confirm the installed Defender platform/engine versions
Get-MpComputerStatus | Select-Object AMServiceVersion, AMEngineVersion, AMProductVersion
# Verify signature/definition updates are current (relevant to "UnDefend"-style update-blocking)
Update-MpSignature
Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated, NISSignatureLastUpdated
:: Audit for missing security updates on a host
wmic qfe list brief /format:table
The durable mitigation, however, is the vendor patch: apply Microsoft's April 14 update that resolves CVE-2026-33825, and prioritize CVE-2025-60710 on Windows 11 and Windows Server 2025, in line with CISA's KEV deadlines.