CVE-2026-33825: BlueHammer Zero-Day Exploited in Wild

A recently patched privilege escalation vulnerability in Microsoft Defender — tracked as CVE-2026-33825 and dubbed BlueHammer — is being actively exploited in the wild using publicly available proof-of-concept (PoC) code. Cybersecurity firm Huntress confirmed the in-the-wild exploitation, with CISA subsequently adding the flaw to its Known Exploited Vulnerabilities (KEV) catalog and ordering federal agencies to patch by May 6, 2026.

What Is CVE-2026-33825 (BlueHammer)?

CVE-2026-33825 carries a CVSS score of 7.8 and is classified by Microsoft as an elevation of privilege vulnerability rooted in insufficient granularity of access control within Microsoft Defender. The flaw is a time-of-check to time-of-use (TOCTOU) race condition in Defender's signature update mechanism, allowing a low-privileged attacker to escalate all the way to SYSTEM-level permissions.

The vulnerability was publicly disclosed on April 2, 2026, by a researcher going by the aliases Chaotic Eclipse and Nightmare-Eclipse, who published PoC exploit code to a public GitHub repository and explicitly warned the community it could be weaponized. Microsoft issued a patch on April 14, 2026 — but not before threat actors had already begun leveraging the PoC in real attacks.

Three Exploit Techniques: BlueHammer, RedSun, and UnDefend

The original researcher published three distinct attack techniques alongside the CVE disclosure. All three have been observed in active exploitation campaigns, according to Huntress.

BlueHammer

BlueHammer is the primary exploit technique. It abuses operation locks (oplocks) to suspend Defender's processing, then triggers a signature update to trick Defender into copying the Security Account Manager (SAM) database to its output directory. The exploit then parses the SAM hive, decrypts NT hashes, temporarily rotates all user passwords, and uses those credentials to spawn admin sessions with full SYSTEM privileges.

RedSun

RedSun follows a similar oplock-based approach but targets critical system files instead of the SAM database. It tricks Defender into attempting to "restore" a non-existent malicious file, which results in placing a copy of an attacker-controlled binary into the System32 directory. From there, a SYSTEM-level shell is spawned.

UnDefend

UnDefend is a defensive-blind technique designed to neutralize Defender entirely. It monitors for changes to definition update folders and Microsoft's Malicious Software Removal Tool directories, locking new definition files before Defender can use them. It also locks backup definition files immediately after Defender starts, effectively disabling real-time protection and creating a window for further exploitation.

Active Exploitation: What Huntress Found

The first confirmed attacks leveraging the public PoC were observed on April 10, 2026, four days before Microsoft released the patch. Additional malicious activity was recorded on April 16. Huntress's analysis of the compromised environment revealed several noteworthy patterns:

Initial access was obtained through an SSL VPN connection to a FortiGate firewall, with a source IP geolocated to Russia and additional suspicious infrastructure observed in other regions.
Attackers staged binaries in user-writable directories — specifically a low-privilege user's Pictures folder and short two-letter subdirectories under the Downloads folder.
Despite using all three published exploit techniques, the threat actors demonstrated limited familiarity with how the exploits functioned and were ultimately unsuccessful in achieving full privilege escalation.
The attackers did, however, conduct hands-on keyboard reconnaissance within the target environment before being detected.

"Huntress identified suspicious FortiGate SSL VPN access tied to the compromised environment, including a source IP geolocated to Russia, with additional suspicious infrastructure observed in other regions."

Why This Vulnerability Spread So Quickly

The speed of exploitation is directly tied to the public availability of working exploit code. Shortly after the original PoC was published to GitHub, a community fork appeared that fixed bugs in the original implementation and bundled it with documentation and step-by-step instructions. This substantially lowered the technical bar for exploitation, making the vulnerability accessible to a much broader pool of threat actors — including those without deep knowledge of the underlying flaw.

This pattern — where a researcher publishes a PoC, the community refines it, and exploitation follows within days — is increasingly common and underscores why organizations cannot rely solely on patch cadences tied to vendor disclosure timelines.

CISA KEV Listing and Patching Deadline

On May 5, 2026, CISA formally added CVE-2026-33825 to its Known Exploited Vulnerabilities (KEV) catalog, requiring all U.S. federal agencies under CISA's authority to apply the available patch by May 6, 2026. While this mandate technically applies to federal agencies, CISA strongly encourages all organizations to treat KEV listings as high-priority patching signals regardless of sector.

The April 14 Patch Tuesday update from Microsoft includes the fix. Organizations running Microsoft Defender — particularly in environments with internet-exposed VPN appliances or remote access infrastructure — should treat this as an emergency patch.

Mitigation and Defensive Recommendations

Beyond applying the patch, organizations should take the following steps to reduce risk from this and similar exploits:

Apply the April 14 Microsoft patch immediately if not already done. Verify patch status across all endpoints.
Audit VPN and remote access logs for anomalous connections, especially from unfamiliar geolocations. FortiGate SSL VPN was the initial access vector in the Huntress-documented incident.
Monitor user-writable directories (Downloads, Pictures, temp folders) for unexpected binary execution or staging activity.
Hunt for oplock abuse by reviewing file system event logs for unusual locking patterns around Defender's update directories.
Review endpoint detection rules for SYSTEM-privilege spawns from non-standard parent processes, which is a behavioral indicator common to all three BlueHammer techniques.
Restrict low-privilege user write access in directories outside of standard user profiles where feasible.

Conclusion

CVE-2026-33825 is a clear example of how quickly a researcher's proof-of-concept can transition from academic disclosure to active exploitation. The BlueHammer, RedSun, and UnDefend techniques collectively represent a capable and flexible privilege escalation toolkit — one that is already in the hands of real-world threat actors. The combination of a public, refined PoC, a high CVSS score, and confirmed in-the-wild exploitation makes this a must-patch vulnerability. Organizations should not wait; apply the April 14 Microsoft security update now and use Huntress's documented indicators of compromise to validate whether any environments were targeted before the patch was available.