A privilege escalation vulnerability in Microsoft Defender has been actively exploited as a zero-day following public disclosure of proof-of-concept code, according to Huntress. The vulnerability, tracked as CVE-2026-33825 with a CVSS score of 7.8, was patched by Microsoft on April 14 but had been exploited in attacks starting April 10.
The flaw was publicly disclosed on April 2 by researcher Chaotic Eclipse, who published exploit code for the vulnerability dubbed “BlueHammer” to their GitHub repository. Microsoft describes the issue as an elevation of privilege bug caused by insufficient granularity of access control in Defender’s signature update mechanism.
BlueHammer Exploit Technique Details
BlueHammer exploits a time-of-check to time-of-use (TOCTOU) race condition in Microsoft Defender’s signature update process. The attack allows users with low-level privileges to escalate to full System permissions through a sophisticated multi-step process.
The exploit relies on operation locks (oplocks) to temporarily suspend Defender’s operations while triggering a signature update. This tricks Defender into copying the Security Account Manager (SAM) database to its output directory, where the attacker can access it.
Once the SAM hive is accessible, BlueHammer parses the database, decrypts users’ NT password hashes, and temporarily changes all user passwords. The exploit then uses these new passwords to generate administrative sessions with System-level permissions.
Active Exploitation Campaign
Huntress researchers observed the first attacks leveraging the public proof-of-concept code on April 10, just eight days after the vulnerability disclosure. Additional attack activity was detected on April 16, indicating sustained interest in the exploit.
The attacks incorporated all three techniques published by Chaotic Eclipse: BlueHammer, RedSun, and UnDefend. RedSun operates similarly to BlueHammer but uses different methods for the same privilege escalation outcome.
Investigators identified suspicious FortiGate SSL VPN access tied to compromised environments, including connections from IP addresses geolocated to Russia. Additional suspicious infrastructure was observed in other regions, suggesting a coordinated campaign.
Additional Critical Vulnerabilities
Several other high-severity vulnerabilities have emerged in recent weeks across major enterprise security products. CrowdStrike published an advisory for CVE-2026-40050, a critical unauthenticated path traversal vulnerability in its LogScale product that allows remote attackers to read arbitrary files from server filesystems.
The CrowdStrike vulnerability affects LogScale Self-hosted customers but not Next-Gen SIEM users. LogScale SaaS customers received automatic mitigation, while self-hosted deployments require manual updates to patched versions.
Tenable addressed CVE-2026-33694, a high-severity vulnerability in Nessus vulnerability scanner on Windows systems. The flaw allows attackers to delete arbitrary files with System privileges through junction exploitation, potentially leading to arbitrary code execution with elevated permissions.
Apache ActiveMQ Under Attack
A remote code execution vulnerability in Apache ActiveMQ, tracked as CVE-2026-34197, has also been exploited in active campaigns since its disclosure in early April. SecurityWeek reported that attackers are leveraging this vulnerability for initial access to enterprise environments.
The ActiveMQ vulnerability represents another example of how quickly threat actors can weaponize publicly disclosed security flaws, particularly when proof-of-concept code becomes available.
NIST Overwhelmed by CVE Volume
The surge in vulnerability discoveries has created operational challenges for the National Institute of Standards and Technology (NIST). The Hacker News reported that NIST experienced a 263% increase in CVE submissions, forcing the organization to limit enrichment activities for vulnerabilities listed in the National Vulnerability Database.
NIST announced it will only provide detailed enrichment for CVEs meeting specific criteria. Vulnerabilities that don’t meet these standards will still be listed in the NVD but without comprehensive analysis and scoring.
This change reflects the increasing pace of vulnerability discovery and disclosure across the technology industry, particularly as automated scanning tools and AI-assisted research accelerate the identification of security flaws.
Emergency .NET Patch
Microsoft also released an emergency update for .NET 10.0.7 to address an elevation of privilege vulnerability, according to CyberSecurityNews. The out-of-band patch indicates the severity of the flaw and potential for exploitation.
The rapid succession of Microsoft security updates highlights ongoing challenges in securing complex software platforms against sophisticated attack techniques.
What This Means
The BlueHammer exploitation demonstrates how quickly adversaries can weaponize disclosed vulnerabilities, particularly when detailed proof-of-concept code becomes publicly available. The eight-day window between disclosure and active exploitation represents a compressed timeline for enterprise defenders.
Organizations should prioritize patch deployment for privilege escalation vulnerabilities, as these flaws enable attackers to expand access within compromised environments. The Russian-linked infrastructure observed in BlueHammer attacks suggests nation-state or organized criminal interest in these techniques.
The volume surge forcing NIST to limit CVE enrichment activities may impact vulnerability prioritization efforts across the industry. Security teams may need to develop alternative methods for assessing and ranking newly disclosed vulnerabilities.
FAQ
What is CVE-2026-33825 and how severe is it?
CVE-2026-33825 is a privilege escalation vulnerability in Microsoft Defender with a CVSS score of 7.8. It allows attackers with low privileges to gain full System permissions through a race condition in the signature update mechanism.
How quickly was this vulnerability exploited after disclosure?
The vulnerability was publicly disclosed on April 2 with proof-of-concept code, and the first active exploitations were observed on April 10 – just eight days later. Microsoft patched the flaw on April 14.
What should organizations do to protect against these vulnerabilities?
Organizations should immediately apply Microsoft’s April 14 patch for Defender, update CrowdStrike LogScale and Tenable Nessus installations, and monitor for suspicious VPN access patterns. Priority should be given to privilege escalation vulnerabilities that enable lateral movement.
Sources
- Recent Microsoft Defender Vulnerability Exploited as Zero-Day – SecurityWeek
- Recent Apache ActiveMQ Vulnerability Exploited in the Wild – SecurityWeek
