A freshly patched elevation-of-privilege flaw in Microsoft Defender — tracked as CVE-2026-33825 and nicknamed BlueHammer — is under active exploitation by attackers leaning on publicly released proof-of-concept code. Huntress confirmed the in-the-wild abuse, and CISA followed by adding the bug to its Known Exploited Vulnerabilities (KEV) catalog with a federal patch deadline of May 6, 2026. Because a working, community-refined exploit shipped before Microsoft's fix landed, this is an emergency-grade patch for any Defender environment.

What CVE-2026-33825 actually is

Microsoft rates CVE-2026-33825 at CVSS 7.8 and describes it as an elevation-of-privilege issue caused by insufficient granularity of access control in Microsoft Defender — an authorized local attacker can use it to raise their privileges. Under the hood, the defect is a time-of-check to time-of-use (TOCTOU) race condition in Defender's signature-update routine. By winning that race, a low-privileged user can climb all the way to SYSTEM.

The vulnerability was disclosed publicly on April 2, 2026 by a researcher operating under the handles Chaotic Eclipse / Nightmare-Eclipse, who posted PoC exploit code to a public GitHub repository and openly cautioned that it could be weaponized. Microsoft shipped a fix on April 14, 2026 as part of that month's Patch Tuesday — but by then attackers were already running the PoC against real targets.

Three techniques: BlueHammer, RedSun, and UnDefend

The disclosure bundled three separate attack techniques, and Huntress reports seeing all three used in live campaigns.

BlueHammer

This is the headline technique. It leans on opportunistic locks (oplocks) to pause Defender mid-operation, then fires a signature update that fools Defender into copying the Security Account Manager (SAM) database into its output directory. The exploit then parses the SAM hive, decrypts the NT hashes, temporarily rotates every user's password, and uses those credentials to launch admin sessions with full SYSTEM rights.

RedSun

RedSun reuses the same oplock trick but aims at critical system files rather than the SAM database. It coaxes Defender into "restoring" a malicious file that doesn't exist, which drops an attacker-controlled binary into the System32 directory — and from there a SYSTEM shell is spawned.

UnDefend

UnDefend is the blinding component, built to switch Defender off. It watches Defender's definition-update folders and the Malicious Software Removal Tool directories, then locks new definition files before Defender can load them. It also grabs locks on backup definition files as soon as Defender starts, knocking out real-time protection and opening a window for the other techniques.

What Huntress observed in the wild

The earliest confirmed attacks using the public PoC were seen on April 10, 2026 — four days ahead of Microsoft's patch — with more activity on April 16. Huntress's review of the compromised environment turned up several details:

  • Initial access came through a FortiGate SSL VPN connection. The source IP geolocated to Russia, and additional suspicious infrastructure showed up in other regions.
  • Payloads were staged in user-writable locations — a low-privilege user's Pictures folder and short two-letter subfolders beneath Downloads.
  • The operators tried all three published techniques but showed shaky understanding of how the exploits worked and never achieved full privilege escalation.
  • They did, however, run hands-on-keyboard reconnaissance inside the environment before being caught.

"Huntress identified suspicious FortiGate SSL VPN access tied to the compromised environment, including a source IP geolocated to Russia, with additional suspicious infrastructure observed in other regions."

Why it spread so fast

The pace of exploitation maps directly onto the availability of working code. Soon after the original PoC hit GitHub, a community fork appeared that ironed out bugs in the original and packaged it with documentation and step-by-step instructions. That dramatically lowered the skill needed to pull off an attack, putting the technique within reach of a much wider set of actors — including ones with no real grasp of the underlying flaw. The familiar cycle — researcher publishes PoC, the community polishes it, exploitation follows in days — is exactly why patching can't be paced solely to vendor disclosure timelines.

CISA KEV listing and deadline

On May 5, 2026, CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog, requiring U.S. federal agencies under its authority to patch by May 6, 2026. The mandate is binding only on federal agencies, but CISA urges every organization to treat KEV entries as a high-priority patching signal. The fix ships in Microsoft's April 14 Patch Tuesday release; anyone running Defender — especially with internet-facing VPN or remote-access appliances — should handle it as an emergency update.

Detection and mitigation

Beyond installing the patch, defenders should:

  • Apply the April 14 Microsoft update now and confirm patch status across every endpoint.
  • Audit VPN and remote-access logs for anomalous logins, particularly from unexpected geolocations — FortiGate SSL VPN was the documented entry point.
  • Watch user-writable directories (Downloads, Pictures, temp folders) for unexpected binary execution or staging.
  • Hunt for oplock abuse by reviewing file-system event logs for unusual locking behavior around Defender's update directories.
  • Alert on SYSTEM-privilege process spawns from non-standard parents, a behavior common to all three techniques.
  • Tighten low-privilege write access in directories outside standard user profiles where practical.

Technical background: TOCTOU and oplock abuse

(General explanation of this vulnerability class — not specific incident artifacts.)

A TOCTOU race exists whenever a program validates a resource (the check) and then acts on it (the use) without holding it locked in between. If an attacker can swap the resource during that gap, the privileged process operates on something different from what it validated. A classic shape is a privileged service that verifies a file path's safety and later reads or writes it:


1. Service checks  /path/to/file   -> looks safe
2. Attacker swaps  /path/to/file   -> symlink/junction to a protected target
3. Service writes  /path/to/file   -> write lands on the protected target

Windows oplocks make winning this race far more reliable. An oplock lets a process request notification — and a stall — when another handle touches a file. An attacker grabs an oplock on a file the privileged process will open; when the service opens it, the OS suspends that thread and hands control to the attacker, who swaps the underlying path before releasing the lock. Effectively, the race window can be held open at will rather than hit by luck. Defenders can surface this pattern by correlating file-handle and object-access events (e.g., Windows Event IDs 4656/4663) around the targeted directories and flagging privileged writes that resolve through links into protected locations such as System32 or the SAM hive.

Bottom line

CVE-2026-33825 shows how quickly a research PoC becomes a real attack tool. BlueHammer, RedSun, and UnDefend together form a flexible privilege-escalation kit that is already in attackers' hands, and the mix of a public refined exploit, a 7.8 CVSS rating, and confirmed in-the-wild use makes this unambiguously must-patch. Apply the April 14 Microsoft update now, and use Huntress's documented indicators to check whether you were probed before the fix existed.