Microsoft Defender Antimalware Platform Local Privilege Escalation (BlueHammer)
A local privilege escalation flaw in Microsoft Defender Antimalware Platform caused by insufficient access-control granularity. An authorized local attacker can elevate privileges. Patched in April 2026 Patch Tuesday, added to the CISA KEV catalog on 2026-04-22, and confirmed by CISA in July 2026 as weaponized in ransomware attacks. Disclosed as a zero-day by researcher "Chaotic Eclipse" (aka Nightmare-Eclipse) alongside two sibling flaws — RedSun and UnDefend — as a protest of Microsoft's disclosure coordination.
- Vendor
- Microsoft
- Product
- Defender Antimalware Platform (versions 4.0.0.0 through before 4.18.26030.3011)
- CVSS
- 7.8
- Status
- kev
- Published
CVE-2026-33825, tracked publicly as BlueHammer, is a local privilege escalation vulnerability in Microsoft Defender Antimalware Platform disclosed as a zero-day in April 2026 and patched the same month. It affects Defender Antimalware Platform builds from 4.0.0.0 through builds before 4.18.26030.3011. The flaw stems from insufficient granularity of access control: an authorized local attacker — one who already has some foothold on the system — can leverage it to elevate to a higher-privilege context. Not remote, not unauthenticated.
Timeline
- April 2026 — Researcher “Chaotic Eclipse” (aka Nightmare-Eclipse) publishes three Defender zero-days as protest disclosures: BlueHammer (LPE), RedSun (LPE), and UnDefend (definition-update DoS). Huntress observes BlueHammer exploitation from 2026-04-10.
- 2026-04-14 — Microsoft patches BlueHammer as CVE-2026-33825 in Patch Tuesday. RedSun and UnDefend remain unpatched at the time of Huntress’ April writeup.
- 2026-04-22 — CISA adds CVE-2026-33825 to the Known Exploited Vulnerabilities catalog. Federal civilian mitigation deadline: 2026-05-06.
- 2026-07-02 — CISA confirms the flaw was used in ransomware attacks, per The Hacker News. Ransomware family not publicly named at time of writing.
Sourcing
- NVD: CVE-2026-33825
- CISA KEV catalog: cisa.gov/known-exploited-vulnerabilities-catalog
- The Hacker News (April 2026): Three Microsoft Defender zero-days from Chaotic Eclipse
- The Hacker News (July 2026): ThreatsDay: CISA confirms ransomware use