BlueHammer, tracked as CVE-2026-33825, is a Microsoft Defender vulnerability that let a low-privileged local attacker escalate all the way to SYSTEM by weaponizing Defender's own cleanup routine, and it was exploited in the wild before Microsoft patched it. The uncomfortable detail: the tool meant to remove threats became the mechanism for planting one, and the flaw was disclosed publicly by an angry researcher rather than through coordinated channels.
- CVE-2026-33825 (BlueHammer) is a local privilege-escalation bug in Windows Defender, CVSS 7.8, that hands an unprivileged user full SYSTEM code execution.
- It abuses a time-of-check to time-of-use race in Defender's threat-remediation engine, redirecting the rollback to overwrite a system binary.
- Microsoft patched it on April 14, 2026, but only after a researcher published proof-of-concept code, and two related flaws, RedSun and UnDefend, stayed unpatched.
- Huntress observed exploitation in the wild starting April 10, with credential discovery and Active Directory enumeration right after SYSTEM was won; CISA later tied BlueHammer to ransomware.
What makes BlueHammer dangerous?
It weaponizes a trusted, high-privilege process against the machine it protects. CVE-2026-33825 is a time-of-check to time-of-use race in Windows Defender's threat-remediation engine. The exploit first triggers a detection with a crafted file, then replaces that file with a cloud placeholder using the Windows Cloud Files API. When Defender begins rolling back the "threat," the attacker uses filesystem tricks, NTFS junctions and opportunistic locks, to pause execution and quietly redirect the target path into C:\Windows\System32. Defender resumes, follows the redirected path, and writes the file with SYSTEM privileges, overwriting a system binary and handing the attacker SYSTEM-level code execution with no elevated rights and no user interaction. That last part is what elevates it from a nuisance to a genuine post-exploitation prize: any low-privileged foothold becomes total control of the endpoint.
RelatedDuneSlide Turns a Cursor Prompt Into Full Code Execution
How did a patched bug still get exploited?
Because disclosure and defense did not move at the same speed. The flaw went public as a zero-day when a researcher using the handle "Chaotic Eclipse" published proof-of-concept code in protest at how Microsoft's Security Response Center handled the report, dubbing it BlueHammer a week before the fix. Microsoft patched it on April 14 as part of Patch Tuesday, but Huntress reports weaponization began April 10, ahead of the patch, and telemetry showed attackers moving straight into credential discovery and Active Directory enumeration once SYSTEM was achieved, the classic prelude to lateral movement. Initial access in observed incidents came through other means, including compromised SSL-VPN credentials, with hands-on-keyboard operators using BlueHammer to escalate. CISA added it to the Known Exploited Vulnerabilities catalog on April 22 with a federal patch deadline of May 6, and later updated the entry to note ransomware use.
| Flaw | BlueHammer | RedSun | UnDefend |
|---|---|---|---|
| CVE | CVE-2026-33825 | Disclosed | Disclosed |
| Effect | Local priv-esc to SYSTEM | Privilege escalation | Blocks Defender updates |
| Needs admin? | No | No | No (standard user) |
| Patched | Yes, Apr 14 | Not yet | Not yet |
| Seen in the wild | From Apr 10 | PoC Apr 16 | PoC Apr 16 |
What is the timeline security teams should know?
Short and unforgiving. BlueHammer is one of three related Defender flaws Chaotic Eclipse dropped, alongside RedSun, a second privilege-escalation bug, and UnDefend, which lets a standard user block Defender definition updates. Huntress saw BlueHammer exploited from April 10 and RedSun and UnDefend PoCs used from April 16. Only BlueHammer has a patch; the other two remained unpatched as of the reporting, meaning defenders can close the headline hole while two adjacent techniques stay open.
- Apr 10BlueHammer exploited in the wild. Weaponized before any patch existed.
- Apr 14Microsoft patches CVE-2026-33825. Part of April Patch Tuesday.
- Apr 16RedSun and UnDefend PoCs used. Both still unpatched.
- Apr 22CISA adds it to the KEV catalog. Federal fix deadline set for May 6.
- SinceLinked to ransomware campaigns. CISA updated the entry; the group is not yet named.
- Patch first. Apply the April 14 updates on every Windows endpoint and server. That closes BlueHammer itself.
- Assume the adjacent flaws. With RedSun and UnDefend unpatched, watch for Defender update failures and unexpected privilege changes.
- Hunt post-SYSTEM behavior. Credential access and AD enumeration right after a privilege jump is the signature to alert on.
- Lock the front door. Observed intrusions started with stolen SSL-VPN credentials. Enforce MFA and rotate exposed VPN logins.
Our take
BlueHammer is a textbook lesson in why endpoint security tools are such attractive targets: they run with the highest privileges and are trusted implicitly, so a logic flaw in one is worth more to an attacker than a dozen bugs in ordinary software. The race-condition trick here is elegant in the worst way, using Defender's remediation, the exact feature meant to undo attacks, as the delivery vehicle for one. Just as instructive is the disclosure drama. A researcher frustrated with Microsoft's process dumped working exploit code into the open, and attackers were using it days before the patch landed. That is the recurring tax on adversarial disclosure: the patch and the weaponization arrive in the wrong order. Patch BlueHammer today, but treat RedSun and UnDefend as live, because the same researcher handed everyone the blueprint and only one door is shut.
- AdvisoryCISA Known Exploited Vulnerabilities , the KEV entry and federal deadline
- ReportingHelp Net Security , on all three Defender zero-days
- AnalysisPicus: BlueHammer explained , the TOCTOU mechanism in detail
- ReferenceBleepingComputer , on CISA's patch order
Original analysis by GenZTech. Details per vendor and CISA advisories, current as of July 2026. Source.
