- CISA added BlueHammer, a Microsoft Defender privilege escalation flaw, to its catalog of known exploited vulnerabilities.
- Federal agencies have until May 6 to patch or suspend its use, as researchers confirmed active exploitation in the wild.
- The revelation came from “Chaotic Eclipse,” which also revealed two other Defender zero-days, in which Huntress Labs links exploitation attempts to suspicious global infrastructure.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added BlueHammer to its catalog of known exploited vulnerabilities (KEV), giving Federal Civil Executive Branch (FCEB) agencies a two-week window to patch or stop using the vulnerable software entirely.
BlueHammer is described as a “insufficient access control granularity in Microsoft Defender” vulnerability, which allows unauthorized attackers to elevate privileges locally. It is being tracked as CVE-2026-33825 and has been assigned a severity score of 7.8/10 (High).
It was first revealed in early April of this year by a security researcher apparently unhappy with the alias “Chaotic Eclipse.” They posted the vulnerability on their blog, as a zero-day at the time, because they were dissatisfied with the way Microsoft handles vulnerability disclosures.
Article continues below.
RedSun and unDefend
“I wasn’t fooling Microsoft and I’m doing it again,” they said, before sharing a GitHub repository for BlueHammer.
Microsoft responded by saying it has a “customer commitment to investigate reported security issues and update affected devices to protect customers as soon as possible.”
“We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure that issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community,” Microsoft said.
A week later, the same researcher revealed another zero-day vulnerability in Microsoft Defender. This one, called RedSun, is described as a local privilege escalation flaw that allows malicious actors SYSTEM privileges on the latest versions of Windows 10, Windows 11, and Windows Server, where Defender is enabled.
They also released a third flaw, called unDefend, which can apparently be exploited by a standard user, to block Defender definition updates.
When CISA adds a vulnerability to KEV, it means they have evidence that it is being actively exploited in the wild. FCEB agencies have until May 6 to patch.
At the same time, security researchers at Huntress Labs said they have seen malicious actors abusing flaws in the wild.
“The activity also appeared to be part of a broader intrusion rather than an isolated proof of concept (PoC),” the cybersecurity company said in a report. “Huntress identified suspicious FortiGate SSL VPN access linked to the compromised environment, including a source IP geolocated in Russia, with additional suspicious infrastructure observed in other regions.”
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
