BlueHammer, tracked as CVE-2026-33825, is a Microsoft Defender vulnerability that let a low-privileged local attacker escalate all the way to SYSTEM by weaponizing Defender's own cleanup routine, and it was exploited in the wild before Microsoft patched it. The uncomfortable detail: the tool meant to remove threats became the mechanism for planting one, and the flaw was disclosed publicly by an angry researcher rather than through coordinated channels.

  • CVE-2026-33825 (BlueHammer) is a local privilege-escalation bug in Windows Defender, CVSS 7.8, that hands an unprivileged user full SYSTEM code execution.
  • It abuses a time-of-check to time-of-use race in Defender's threat-remediation engine, redirecting the rollback to overwrite a system binary.
  • Microsoft patched it on April 14, 2026, but only after a researcher published proof-of-concept code, and two related flaws, RedSun and UnDefend, stayed unpatched.
  • Huntress observed exploitation in the wild starting April 10, with credential discovery and Active Directory enumeration right after SYSTEM was won; CISA later tied BlueHammer to ransomware.
How the BlueHammer race condition wins SYSTEM The attacker triggers a Defender detection, swaps the file for a cloud placeholder, uses NTFS junctions and oplocks to redirect the rollback into System32, and Defender writes a system binary with SYSTEM privileges. 1. Triggercrafted file isflagged 2. Swapcloud placeholdervia Cloud Files 3. RedirectNTFS junction+ oplock pause 4. Rollbackfollows path toSystem32 5. SYSTEMbinary overwritten genztech.blog
Fig 1 The exploit turns Defender's cleanup against itself: between the moment Defender decides where to restore a file and the moment it writes, the attacker moves the target into System32 and rides Defender's SYSTEM privileges in.

What makes BlueHammer dangerous?

It weaponizes a trusted, high-privilege process against the machine it protects. CVE-2026-33825 is a time-of-check to time-of-use race in Windows Defender's threat-remediation engine. The exploit first triggers a detection with a crafted file, then replaces that file with a cloud placeholder using the Windows Cloud Files API. When Defender begins rolling back the "threat," the attacker uses filesystem tricks, NTFS junctions and opportunistic locks, to pause execution and quietly redirect the target path into C:\Windows\System32. Defender resumes, follows the redirected path, and writes the file with SYSTEM privileges, overwriting a system binary and handing the attacker SYSTEM-level code execution with no elevated rights and no user interaction. That last part is what elevates it from a nuisance to a genuine post-exploitation prize: any low-privileged foothold becomes total control of the endpoint.

RelatedDuneSlide Turns a Cursor Prompt Into Full Code Execution

How did a patched bug still get exploited?

Because disclosure and defense did not move at the same speed. The flaw went public as a zero-day when a researcher using the handle "Chaotic Eclipse" published proof-of-concept code in protest at how Microsoft's Security Response Center handled the report, dubbing it BlueHammer a week before the fix. Microsoft patched it on April 14 as part of Patch Tuesday, but Huntress reports weaponization began April 10, ahead of the patch, and telemetry showed attackers moving straight into credential discovery and Active Directory enumeration once SYSTEM was achieved, the classic prelude to lateral movement. Initial access in observed incidents came through other means, including compromised SSL-VPN credentials, with hands-on-keyboard operators using BlueHammer to escalate. CISA added it to the Known Exploited Vulnerabilities catalog on April 22 with a federal patch deadline of May 6, and later updated the entry to note ransomware use.

FlawBlueHammerRedSunUnDefend
CVECVE-2026-33825DisclosedDisclosed
EffectLocal priv-esc to SYSTEMPrivilege escalationBlocks Defender updates
Needs admin?NoNoNo (standard user)
PatchedYes, Apr 14Not yetNot yet
Seen in the wildFrom Apr 10PoC Apr 16PoC Apr 16

What is the timeline security teams should know?

Short and unforgiving. BlueHammer is one of three related Defender flaws Chaotic Eclipse dropped, alongside RedSun, a second privilege-escalation bug, and UnDefend, which lets a standard user block Defender definition updates. Huntress saw BlueHammer exploited from April 10 and RedSun and UnDefend PoCs used from April 16. Only BlueHammer has a patch; the other two remained unpatched as of the reporting, meaning defenders can close the headline hole while two adjacent techniques stay open.

  1. Apr 10BlueHammer exploited in the wild. Weaponized before any patch existed.
  2. Apr 14Microsoft patches CVE-2026-33825. Part of April Patch Tuesday.
  3. Apr 16RedSun and UnDefend PoCs used. Both still unpatched.
  4. Apr 22CISA adds it to the KEV catalog. Federal fix deadline set for May 6.
  5. SinceLinked to ransomware campaigns. CISA updated the entry; the group is not yet named.
What to do now
  • Patch first. Apply the April 14 updates on every Windows endpoint and server. That closes BlueHammer itself.
  • Assume the adjacent flaws. With RedSun and UnDefend unpatched, watch for Defender update failures and unexpected privilege changes.
  • Hunt post-SYSTEM behavior. Credential access and AD enumeration right after a privilege jump is the signature to alert on.
  • Lock the front door. Observed intrusions started with stolen SSL-VPN credentials. Enforce MFA and rotate exposed VPN logins.

Our take

BlueHammer is a textbook lesson in why endpoint security tools are such attractive targets: they run with the highest privileges and are trusted implicitly, so a logic flaw in one is worth more to an attacker than a dozen bugs in ordinary software. The race-condition trick here is elegant in the worst way, using Defender's remediation, the exact feature meant to undo attacks, as the delivery vehicle for one. Just as instructive is the disclosure drama. A researcher frustrated with Microsoft's process dumped working exploit code into the open, and attackers were using it days before the patch landed. That is the recurring tax on adversarial disclosure: the patch and the weaponization arrive in the wrong order. Patch BlueHammer today, but treat RedSun and UnDefend as live, because the same researcher handed everyone the blueprint and only one door is shut.

Primary sources

Original analysis by GenZTech. Details per vendor and CISA advisories, current as of July 2026. Source.