Microsoft patched a critical privilege escalation vulnerability in Defender on April 14, but not before Russian-linked attackers exploited the zero-day flaw in active campaigns. SecurityWeek reported that CVE-2026-33825, scoring 7.8 on CVSS, was exploited in the wild using publicly available proof-of-concept code.
The vulnerability, dubbed “BlueHammer” by its discoverer, allows attackers with low privileges to gain full System permissions through a time-of-check to time-of-use (TOCTOU) race condition in Defender’s signature update mechanism. Huntress identified the first attacks on April 10, with additional activity on April 16 traced to Russian infrastructure.
Public Disclosure Fueled Rapid Exploitation
A researcher known as Chaotic Eclipse and Nightmare-Eclipse publicly disclosed CVE-2026-33825 on April 2, publishing exploit code to GitHub before Microsoft’s patch. The researcher released three attack techniques: BlueHammer, RedSun, and UnDefend.
Interest in the exploit surged after a community fork fixed implementation bugs and added documentation. According to SecurityWeek, attackers leveraged all three published techniques in real-world campaigns.
BlueHammer exploits operation locks (oplocks) to suspend Defender operations and triggers signature updates to trick Defender into copying the Security Account Manager (SAM) database. The attack then parses the SAM hive, decrypts NT hashes, changes user passwords, and generates admin sessions for System-level access.
Pack2TheRoot Threatens Linux Systems Across Distributions
A separate high-severity vulnerability affects Linux systems through the PackageKit package management layer. CVE-2026-41651, scoring 8.1 on CVSS and nicknamed “Pack2TheRoot,” allows unprivileged users to install arbitrary RPM packages with root privileges.
Deutsche Telekom’s Red Team discovered the vulnerability impacts PackageKit versions 1.0.2 to 1.3.4, with the flaw likely existing since version 0.8.1 released 14 years ago. Affected distributions include Ubuntu Desktop 18.04-26.04, Ubuntu Server 22.04-24.04, Debian Desktop Trixie 13.4, RockyLinux Desktop 10.1, and Fedora 43.
The vulnerability combines three issues where caller-supplied flags are written without authorization checks. Attackers can exploit the TOCTOU race condition to install malicious packages with scriplets, bypassing authentication entirely.
“Since PackageKit is an optional dependency of the Cockpit project, many servers with Cockpit installed might be vulnerable as well, including Red Hat Enterprise Linux,” Deutsche Telekom noted.
Firefox IndexedDB Flaw Enables Cross-Domain Tracking
Firefox users face privacy risks from CVE-2026-6770, a vulnerability that enables fingerprinting even in Private Browsing mode. The flaw also affects Tor Browser, undermining its anonymity protections.
The vulnerability exploits Firefox’s IndexedDB API, which stores database names using internal UUID mappings. When websites list databases, the ordering remains consistent across different sites during the same browser session, creating a persistent fingerprint.
Mozilla patched the issue in Firefox 150, while the Tor Project adopted the fix in Tor Browser 15.0.10. The fingerprint defeats Tor’s “New Identity” feature, allowing websites to link sessions expected to be isolated.
“In Tor Browser, the stable identifier effectively defeats Tor Browser’s ‘New Identity’ isolation within a running browser process,” researchers explained.
Enterprise Security Products Face Critical Flaws
CrowdStrike disclosed CVE-2026-40050, a critical unauthenticated path traversal vulnerability in its LogScale product. The flaw allows remote attackers to read arbitrary files from server filesystems.
The cybersecurity company emphasized that Next-Gen SIEM customers are unaffected, and LogScale SaaS customers received automatic mitigation. Self-hosted LogScale customers must update to patched versions.
Tenable addressed CVE-2026-33694 in its Nessus vulnerability scanner on Windows. The high-severity flaw enables attackers to delete arbitrary files with System privileges through junction exploitation, potentially leading to arbitrary code execution.
Incomplete Windows Patches Create New Attack Vectors
Microsoft’s incomplete patching of CVE-2026-21510 created a new vulnerability enabling zero-click attacks. Akamai discovered that the February patch for the Windows SmartScreen bypass was insufficient, resulting in CVE-2026-32202.
The new vulnerability allows credential theft through auto-parsed LNK files without user interaction. Russian APT28 (Fancy Bear) exploited both the original CVE-2026-21510 and related CVE-2026-21513 in targeted campaigns.
Microsoft released fixes for CVE-2026-32202 in April 2026 patches, marking it as exploited in the wild. The incomplete patching demonstrates the challenges of addressing complex vulnerabilities across Windows components.
What This Means
These vulnerabilities highlight critical gaps in both enterprise and consumer security. The Microsoft Defender zero-day shows how public disclosure without coordination can accelerate exploitation, particularly when proof-of-concept code is readily available. Russian threat actors’ rapid weaponization underscores the need for faster patch deployment cycles.
The Pack2TheRoot Linux vulnerability’s 14-year existence across major distributions reveals systemic issues in package management security. Organizations running affected Linux systems face immediate privilege escalation risks that attackers can exploit “reliably in seconds.”
Firefox’s fingerprinting vulnerability undermines privacy expectations, especially for Tor users seeking anonymity. The persistence across private sessions until browser restart suggests fundamental architectural issues in how browsers handle cross-domain isolation.
FAQ
How can organizations protect against these vulnerabilities?
Apply all available patches immediately, particularly Microsoft’s April updates for CVE-2026-33825 and CVE-2026-32202. Linux administrators should update PackageKit to patched versions, while Firefox users should upgrade to version 150 or later.
Are these vulnerabilities being actively exploited?
Yes, Russian APT28 has exploited the Microsoft Defender zero-day, and Huntress observed active campaigns using the BlueHammer technique. The Pack2TheRoot Linux vulnerability is easily exploitable but no active campaigns have been reported.
What makes the Pack2TheRoot vulnerability particularly dangerous?
The vulnerability allows unprivileged users to gain root access in seconds across multiple major Linux distributions. Its 14-year existence suggests widespread exposure, and the ease of exploitation makes it attractive for both opportunistic attackers and advanced persistent threats.
