April 21st, 2026

Windows Defender Local Privilege Escalation Vulnerability Actively Exploited (CVE-2026-33825)

High

Our Cyber Threat Intelligence Unit is monitoring a Windows local privilege escalation vulnerability known as BlueHammer (CVE-2026-33825), which affects the Microsoft Defender Antimalware Platform. The vulnerability was publicly disclosed on April 3, 2026, by a security researcher using the alias Nightmare-Eclipse, who released a working proof-of-concept exploit on GitHub without prior coordination, CVE assignment, or an available patch. BlueHammer allows a low-privileged local user to gain NT AUTHORITY\SYSTEM privileges by exploiting a race condition in Windows Defender's threat remediation engine. A separate version of the exploit, SNEK_BlueWarHammer, with build instructions and precompiled binaries, has further lowered the barrier to exploitation. Microsoft assigned CVE-2026-33825 and released a patch during the April 2026 Patch Tuesday cycle. Despite this, Huntress Labs confirmed active exploitation as early as April 10, 2026, before widespread patch deployment. The same researcher later released two related Windows Defender zero-days, RedSun and UnDefend, which remain unpatched. All three vulnerabilities have been observed in live intrusions and in use together in post-exploitation workflows.

Technical Details

Severity: High
- CVSS v3.1 Score: 7.8
- CVE ID: CVE-2026-33825
Vulnerability Type: Local Privilege Escalation (LPE)
Affected Component: Microsoft Defender Antimalware Platform
Affected Systems: Windows 10 (all supported versions), Windows 11 (all supported versions)
- Note on Windows Server: Public testing and researcher statements indicate the exploit does not reliably produce SYSTEM-level access on Windows Server editions; behavior on Server may be limited to elevated administrator access in some configurations.
Patch Available: Yes
- Microsoft Defender Antimalware Platform version 4.18.26030.3011, released April 14, 2026 (April 2026 Patch Tuesday)
Exploit Availability: Public PoC available on GitHub; precompiled binaries available via the SNEK reimplementation repository
Disclosed By: Researcher aliases Nightmare-Eclipse / Chaotic Eclipse
Disclosure Date: April 3, 2026
Vulnerability Mechanism:
- CVE-2026-33825 is rooted in a time-of-check to time-of-use (TOCTOU) race condition within Windows Defender's threat remediation engine.
- The vulnerability exists because Defender performs privileged file operations during malware cleanup without adequately validating the file path at the time of the write, allowing an attacker to redirect the operation via filesystem manipulation.
Attack Chain:
- Initial Access: BlueHammer requires a pre-existing local foothold on the target system.
  - This foothold may be obtained through phishing, leading to user-level code execution, exploitation of a separate vulnerability, or use of compromised credentials.
  - The vulnerability does not provide remote initial access on its own.
- Exploitation: The BlueHammer exploit begins by placing a file that triggers a Defender detection.
  - When Defender's real-time protection engine detects the file and initiates remediation, the exploit uses a batch opportunistic lock (oplock) to pause Defender's file operation at a critical point.
  - During this pause, the exploit modifies the filesystem by creating an NTFS junction point that redirects Defender's target path from an attacker-controlled temporary directory to C:\Windows\System32.
  - When Defender resumes under its SYSTEM privileges, it overwrites a legitimate system binary with an attacker-controlled payload.
- Privilege Escalation and Credential Access:
  - The vulnerability allows a low-privileged local user to access the Security Account Manager (SAM) database, dump NTLM hashes, and escalate to SYSTEM or elevated administrator rights via pass-the-hash techniques.
  - BlueHammer uses SamiChangePasswordUser to forcibly reset an administrator password, authenticate using that password, then reset it back to the original hash.
- Post-Exploitation:
  - With SYSTEM-level access achieved, threat actors have been observed spawning privileged shells, interfering with security tooling, accessing protected files and registry hives, and establishing persistence through services and scheduled tasks.
  - Huntress Labs observed attackers manually running standard system checks, including whoami /priv, cmdkey /list, and net group, indicating deliberate hands-on-keyboard activity rather than automated malware execution.
Related Vulnerabilities RedSun and UnDefend: BlueHammer is one of three Microsoft Defender zero-days released by the same researcher within a 13-day window in April 2026. The other two, RedSun and UnDefend, remain unpatched at the time of this writing.
- RedSun is a second local privilege escalation technique abusing Defender's cloud file rollback mechanism.
  - When Defender identifies a file with a cloud tag, it attempts to restore the file to its original location without validating where that location actually points.
  - The exploit uses the same oplock and NTFS junction point technique to redirect Defender's privileged write to "C:\Windows\System32\TieringEngineService.exe".
- UnDefend does not provide privilege escalation but is designed to block Microsoft Defender definition updates, allowing malware to persist undetected on an endpoint with degraded defenses.
- The close release timing and functional overlap of these vulnerabilities suggest they may be used sequentially, with attackers using BlueHammer or RedSun to escalate privileges and then deploying UnDefend to suppress detection mechanisms

Impact

Successful exploitation of CVE-2026-33825 may allow threat actors to:

Dump local account NTLM password hashes from the SAM database
Escalate to SYSTEM privileges via pass-the-hash techniques
Spawn privileged shells and execute arbitrary commands with full system control
Access and modify protected files and registry hives
Disable or interfere with endpoint security tooling
Establish persistence mechanisms through services and scheduled tasks that are difficult to remove without reimaging
When chained with RedSun and UnDefend, additionally degrade Defender's detection capability over time, creating conditions under which follow-on malware operates without triggering signature-based alerts

Detection Method

Security teams should monitor endpoint and network telemetry for the following behavioral indicators:

Windows Event Log Indicators:
- Monitor Event ID 4672 (Special privileges assigned to new logon) and Event ID 4688 (Process creation) for unexpected privilege elevations to NT AUTHORITY\SYSTEM originating from standard user processes.
- Monitor for Event ID 4723 and 4724 (password change events) occurring in rapid succession on local Administrator accounts.
- Monitor Event ID 7045 (new service installed) and Event ID 4698 (scheduled task created) for unexpected entries generated by non-administrative user processes.
Endpoint and EDR Telemetry:
- The BlueHammer escalation chain uses CreateService to briefly register a malicious temporary service.
  - This pattern should be visible in EDR telemetry and should trigger when any non-administrative user process calls service creation APIs.
- Monitor for suspicious LSASS access (Sysmon Event ID 10) and abnormal handle requests targeting the SAM database.
- Track creation of NTFS symbolic links and junction points in user-writable directories, including %TEMP%, %APPDATA%, and user profile directories.
- Exploit binaries have been observed originating from user-writable directories such as Downloads and Pictures.
  - Detections should cover execution of unsigned or unrecognized binaries from these paths.
Behavioral Indicators:
- Flag post-exploitation command sequences consistent with confirmed attacker activity: whoami /priv, cmdkey /list, and net group executed in close succession from the same session.
- Monitor for processes spawning a SYSTEM-level command shell from a non-administrative user context.
- Detect abnormal reads or writes by Defender processes (MpSigStub.exe,MsMpEng.exe) to paths outside of expected Defender working directories.
- Watch for Defender definition update failures or stalled signature updates,which may indicate deployment of UnDefend alongside BlueHammer.

Indicators of Compromise

Type	Indicator
SHA-256	c6baa5ec9ea2c2802a90acad5a53453d176a02e04a31ac8e9b7b34b5e3329b84
File Name	SNEK_BlueWarHammer.exe

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Apply the April 2026 Patch Tuesday updates immediately:
- Microsoft patched CVE-2026-33825 with the release of Microsoft Defender Antimalware Platform version 4.18.26030.3011.
- Administrators can verify successful deployment by running the PowerShell cmdlet Get-AppxPackage -Name Microsoft.Windows.Defender | Select Version or by checking the engine version in Windows Security under Virus and threat protection settings.
Monitor Microsoft security advisories for out-of-band updates addressing RedSun and UnDefend, both of which remain unpatched.
Enforce least privilege across all endpoints: Reducing unnecessary local administrator rights and limiting which accounts can interact with Defender RPC interfaces meaningfully reduces the attack surface.
Audit and restrict symbolic link creation: Restrict the Create symbolic links user right assignment via Group Policy to prevent unprivileged users from creating the NTFS junction points the exploit depends on.
Implement behavioral detection rules with particular emphasis on rapid successive Event ID 4723/4724 sequences, CreateService calls from non-administrative processes, and execution of unsigned binaries from user-writable directories.
Treat VPN and remote access credential compromise as a high priority:
- Audit remote access accounts for signs of compromise, enforce MFA across all remote access pathways, and investigate SSLVPN authentication anomalies as potential precursors to privilege escalation activity.
Monitor for Defender integrity issues:
- Given that UnDefend can silently degrade Defender's detection capability, monitor for definition update failures, stalled signature updates, or unexpected Defender service state changes.
Isolate and investigate affected systems promptly:
- Any system on which BlueHammer exploitation is suspected should be isolated from the network immediately.
- Ensure offline backups are current and that restoration procedures have been tested.

Conclusion

CVE-2026-33825 (BlueHammer) poses a significant privilege escalation risk to Windows 10 and 11, heightened by the public release of exploit binaries, confirmed exploitation since April 10, 2026, and its use alongside two related unpatched vulnerabilities. The April 2026 Patch Tuesday update addresses BlueHammer, and immediate deployment is strongly recommended. However, patching CVE-2026-33825 alone is not sufficient, as RedSun and UnDefend remain unpatched. We urge organizations to maintain behavioral detection, enforce least privilege, and actively monitor Defender integrity until all three vulnerabilities are fully resolved.

References

https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/

https://www.bleepingcomputer.com/news/security/recently-leaked-windows-zero-days-now-exploited-in-attacks/

https://socradar.io/blog/bluehammer-windows-zero-day-privilege-escalation-risk/

https://socradar.io/blog/bluehammer-redsun-undefend-windows-defender-0days/

https://rhisac.org/threat-intelligence/bluehammer-windows-local-privilege-escalation-zero-day-publicly-released/

https://www.cyderes.com/howler-cell/windows-zero-day-bluehammer

https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained

https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-april-2026/

https://cvereports.com/reports/CVE-2026-33825

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825