Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ HIGH ] CVE-2026-33825

Microsoft Defender Antimalware Platform Local Privilege Escalation (BlueHammer)

A local privilege escalation flaw in Microsoft Defender Antimalware Platform caused by insufficient access-control granularity. An authorized local attacker can elevate privileges. Patched in April 2026 Patch Tuesday, added to the CISA KEV catalog on 2026-04-22, and confirmed by CISA in July 2026 as weaponized in ransomware attacks. Disclosed as a zero-day by researcher "Chaotic Eclipse" (aka Nightmare-Eclipse) alongside two sibling flaws — RedSun and UnDefend — as a protest of Microsoft's disclosure coordination.

cat cve-2026-33825.json
Vendor
Microsoft
Product
Defender Antimalware Platform (versions 4.0.0.0 through before 4.18.26030.3011)
CVSS
7.8
Status
kev
Published

CVE-2026-33825, tracked publicly as BlueHammer, is a local privilege escalation vulnerability in Microsoft Defender Antimalware Platform disclosed as a zero-day in April 2026 and patched the same month. It affects Defender Antimalware Platform builds from 4.0.0.0 through builds before 4.18.26030.3011. The flaw stems from insufficient granularity of access control: an authorized local attacker — one who already has some foothold on the system — can leverage it to elevate to a higher-privilege context. Not remote, not unauthenticated.

Timeline

  • April 2026 — Researcher “Chaotic Eclipse” (aka Nightmare-Eclipse) publishes three Defender zero-days as protest disclosures: BlueHammer (LPE), RedSun (LPE), and UnDefend (definition-update DoS). Huntress observes BlueHammer exploitation from 2026-04-10.
  • 2026-04-14 — Microsoft patches BlueHammer as CVE-2026-33825 in Patch Tuesday. RedSun and UnDefend remain unpatched at the time of Huntress’ April writeup.
  • 2026-04-22 — CISA adds CVE-2026-33825 to the Known Exploited Vulnerabilities catalog. Federal civilian mitigation deadline: 2026-05-06.
  • 2026-07-02 — CISA confirms the flaw was used in ransomware attacks, per The Hacker News. Ransomware family not publicly named at time of writing.

Sourcing