Microsoft patched a critical privilege escalation vulnerability in Defender on April 14, but not before threat actors exploited the zero-day flaw dubbed “BlueHammer” in active attacks. Meanwhile, Apple released emergency iOS updates to address a logging issue that allowed recovery of deleted messages, including Signal chats.
Microsoft Defender Zero-Day Attacks Hit Production Systems
The Microsoft Defender vulnerability, tracked as CVE-2026-33825 with a CVSS score of 7.8, was first disclosed publicly on April 2 by researcher Chaotic Eclipse. According to Huntress, the first attacks leveraging publicly available proof-of-concept code were observed on April 10, just eight days after disclosure.
The flaw stems from a time-of-check to time-of-use (TOCTOU) race condition in Defender’s signature update mechanism. BlueHammer exploits operation locks (oplocks) to suspend Defender operations and tricks the software into copying the Security Account Manager (SAM) database to its output directory. The attack then parses the SAM hive, decrypts NT hashes, and temporarily changes user passwords to generate admin sessions with System privileges.
Huntress identified suspicious activity including FortiGate SSL VPN access from a Russian IP address and additional infrastructure in other regions. The attacks utilized all three techniques published by Chaotic Eclipse: BlueHammer, RedSun, and UnDefend.
Apple Addresses iOS Message Recovery Vulnerability
Apple on Wednesday released iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 to patch CVE-2026-28950, a logging issue that retained deleted message notifications on devices. According to Apple, the vulnerability affected dozens of iPhone and iPad models from iPhone XR through iPhone 16e.
The flaw reportedly allowed law enforcement to extract Signal messages from an iPhone despite the messages being set to disappear and the Signal app being uninstalled. FBI forensic tools exploited the vulnerability to retrieve message previews saved to system cache during the Prairieland investigation involving an alleged Antifa member.
Signal praised Apple for the rapid fix, noting that “once you install the patch, all inadvertently-preserved notifications will be deleted and no forthcoming notifications will be preserved for deleted applications.”
CrowdStrike and Tenable Address Critical Product Flaws
CrowdStrike patched CVE-2026-40050, a critical unauthenticated path traversal vulnerability in its LogScale product that could allow remote attackers to read arbitrary server files. The company discovered the flaw internally and found no evidence of exploitation in log reviews. Next-Gen SIEM customers remain unaffected, while LogScale SaaS customers received automatic mitigation.
Tenable addressed CVE-2026-33694, a high-severity vulnerability in Nessus vulnerability scanner on Windows. The flaw could allow attackers to delete arbitrary files with System privileges via junctions, potentially leading to arbitrary code execution with elevated privileges. Separate advisories were published for both Nessus and Nessus Agent products.
Microsoft Issues Emergency .NET Update
Microsoft released an emergency .NET 10.0.7 update to patch an elevation of privilege vulnerability, though specific technical details about the flaw remain limited. The update addresses a critical security issue that could allow attackers to gain elevated system permissions through the .NET framework.
The rapid succession of Microsoft security patches — including the Defender zero-day and .NET emergency update — highlights ongoing challenges in securing enterprise software stacks against sophisticated privilege escalation attacks.
What This Means
The exploitation of CVE-2026-33825 demonstrates the compressed timeline between vulnerability disclosure and active attacks. Eight days from public disclosure to confirmed exploitation represents a significant challenge for enterprise security teams managing patch cycles. The BlueHammer technique’s sophistication, involving SAM database manipulation and password rotation, shows threat actors rapidly adopting complex privilege escalation methods.
Apple’s iOS message recovery flaw reveals persistent challenges in secure data deletion across mobile platforms. The ability to recover “deleted” Signal messages through system cache forensics undermines user privacy expectations and highlights the gap between application-level security and operating system data handling.
The pattern across Microsoft, Apple, CrowdStrike, and Tenable patches suggests privilege escalation and data persistence vulnerabilities remain primary attack vectors. Organizations should prioritize rapid patch deployment and review data retention policies across their technology stacks.
FAQ
How quickly was the Microsoft Defender zero-day exploited after disclosure?
The CVE-2026-33825 vulnerability was publicly disclosed on April 2 and first exploited in the wild on April 10 — just eight days later. Microsoft patched the flaw on April 14.
Can deleted Signal messages be recovered from iOS devices?
Prior to Apple’s iOS 26.4.2/18.7.8 updates, message previews were retained in system cache even after Signal was uninstalled and messages were set to disappear. The patch addresses this logging issue and deletes previously retained notifications.
What should organizations do about the recent Microsoft vulnerabilities?
Apply the April 14 Microsoft Defender update immediately and install the emergency .NET 10.0.7 update. Review systems for signs of BlueHammer exploitation, including unusual admin session creation and SAM database access patterns.
Sources
- Recent Microsoft Defender Vulnerability Exploited as Zero-Day – SecurityWeek
- Apple Patches iOS Flaw Allowing Recovery of Deleted Chats – SecurityWeek
