A privilege-escalation zero-day in Microsoft Defender, tracked as CVE-2026-33825 (CVSS 7.8) and patched on April 14, has been exploited in the wild following the publication of a public proof-of-concept. The exploit techniques—BlueHammer, RedSun, and UnDefend—were disclosed by researcher Chaotic Eclipse and observed in attacks leveraging FortiGate SSL VPN access; CISA has added the CVE to its KEV catalog and urged agencies to patch by May 6. #BlueHammer #CVE-2026-33825 #ChaoticEclipse #FortiGate #Huntress #CISA
Keypoints
- CVE-2026-33825 is a TOCTOU privilege-escalation bug in Microsoft Defender, patched April 14 with a CVSS score of 7.8.
- Researcher Chaotic Eclipse publicly disclosed the flaw on April 2 under the name BlueHammer and published PoC exploit code.
- The disclosed techniques include BlueHammer (oplocks and SAM extraction), RedSun (system file rewrite), and UnDefend (locking definition files).
- Huntress observed attacks beginning April 10 that used FortiGate SSL VPN access and user-writable directories for staging binaries.
- CISA added the CVE to its Known Exploited Vulnerabilities catalog and urged patching by May 6 as attackers performed hands-on-keyboard reconnaissance.
Read More: https://www.securityweek.com/recent-microsoft-defender-vulnerability-exploited-as-zero-day/