A critical privilege escalation vulnerability in Microsoft Defender has been actively exploited in the wild as a zero-day attack, with threat actors leveraging publicly available proof-of-concept code to gain system-level access. According to Huntress, the first attacks using the exploit were detected on April 10, just eight days after the vulnerability was publicly disclosed.
BlueHammer Exploit Details
The vulnerability, tracked as CVE-2026-33825 with a CVSS score of 7.8, was patched by Microsoft on April 14 following its public disclosure on April 2. The flaw was discovered and disclosed by a researcher known as Chaotic Eclipse, who named the exploit “BlueHammer” and published proof-of-concept code to GitHub.
Microsoft describes the vulnerability as an elevation of privilege bug caused by insufficient granularity of access control. The exploit leverages a time-of-check to time-of-use (TOCTOU) race condition in Defender’s signature update mechanism, allowing attackers with low-level privileges to escalate to full System permissions.
The BlueHammer technique uses operation locks (oplocks) to suspend Defender’s operation while triggering a signature update. This tricks Defender into copying the Security Account Manager (SAM) database to its output directory, where the exploit can parse the SAM hive and decrypt users’ NT hashes.
Active Exploitation Campaign
Cybersecurity firm Huntress identified the first real-world attacks on April 10, with additional activity observed on April 16. The attacks originated from suspicious FortiGate SSL VPN access, including source IPs geolocated to Russia and other regions.
The threat actors utilized all three techniques published by Chaotic Eclipse: BlueHammer, RedSun, and UnDefend. Interest in the exploit surged rapidly after its disclosure, fueled by a GitHub fork that fixed bugs in the original implementation and included detailed documentation and instructions.
The exploitation process involves temporarily changing all user passwords to a new value, then using these credentials to generate administrative sessions for gaining System-level permissions. The RedSun variant operates similarly but relies on different mechanisms for achieving the same privilege escalation outcome.
Additional Security Vulnerabilities
Several other critical vulnerabilities have emerged in enterprise security products. CVE-2026-40050, a critical unauthenticated path traversal vulnerability in CrowdStrike’s LogScale product, allows remote attackers to read arbitrary files from server filesystems. According to CrowdStrike, the vulnerability was discovered internally with no evidence of exploitation in the wild.
Tenable disclosed CVE-2026-33694, a high-severity vulnerability in its Nessus vulnerability scanner on Windows platforms. The flaw enables attackers to exploit junctions for deleting arbitrary files with System privileges, potentially leading to arbitrary code execution with elevated permissions.
CVE-2026-34197, a remote code execution vulnerability in Apache ActiveMQ, has also been exploited in the wild according to SecurityWeek. The vulnerability came to light in early April and represents another critical threat to enterprise infrastructure.
NIST Database Changes
The National Institute of Standards and Technology (NIST) announced significant changes to its National Vulnerability Database (NVD) handling procedures following a 263% surge in CVE submissions. According to The Hacker News, NIST will now only enrich CVEs that meet specific criteria, though all vulnerabilities will still be listed in the database.
This change reflects the overwhelming volume of vulnerability disclosures affecting the cybersecurity community’s ability to properly assess and prioritize threats. CVEs that don’t meet the new enrichment criteria will receive basic listings without detailed analysis or scoring.
Microsoft .NET Emergency Update
Microsoft also released an emergency .NET 10.0.7 update to address an elevation of privilege vulnerability, demonstrating the company’s continued efforts to address security flaws across its product portfolio. The update follows the pattern of rapid response to privilege escalation vulnerabilities that have become increasingly common targets for attackers.
What This Means
The active exploitation of CVE-2026-33825 highlights the dangerous trend of researchers publicly releasing exploit code before adequate patches are widely deployed. The eight-day window between disclosure and first observed attacks demonstrates how quickly threat actors can weaponize public proof-of-concept code.
Organizations running Microsoft Defender must prioritize applying the April 14 patch immediately. The vulnerability’s exploitation in conjunction with VPN access suggests sophisticated threat actors are combining multiple attack vectors for persistent access to enterprise networks.
The broader pattern of privilege escalation vulnerabilities across major security products (CrowdStrike, Tenable, Microsoft) indicates that endpoint security and vulnerability management tools themselves have become high-value targets for attackers seeking to disable defensive capabilities.
FAQ
What is CVE-2026-33825 and why is it dangerous?
CVE-2026-33825 is a privilege escalation vulnerability in Microsoft Defender that allows attackers with low-level access to gain full System permissions. It’s particularly dangerous because exploit code is publicly available and has been used in real attacks since April 10.
How can organizations protect against the BlueHammer exploit?
Organizations should immediately apply Microsoft’s April 14 patch for CVE-2026-33825. Additionally, they should monitor for suspicious VPN access, especially from foreign IP addresses, and implement defense-in-depth strategies that don’t rely solely on endpoint protection.
Why did NIST change its CVE enrichment process?
NIST modified its process due to a 263% increase in CVE submissions, which overwhelmed their ability to provide detailed analysis for every vulnerability. They now only enrich CVEs meeting specific criteria while still listing all vulnerabilities in the database.
Sources
- Recent Microsoft Defender Vulnerability Exploited as Zero-Day – SecurityWeek
- Recent Apache ActiveMQ Vulnerability Exploited in the Wild – SecurityWeek
