🟢 CVE-2026-33825

This is a local privilege escalation vulnerability in Microsoft Defender Antimalware Platform that requires existing local access to the system. Despite being high severity and in CISA KEV, it cannot be exploited directly over the internet as it's an endpoint security tool, not a public-facing service.

← Back to Overview
LOW_RISK
Risk Level
7.8
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 — Exploitation for Privilege Escalation
ATT&CK Technique
LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2026-04-14

Added to CISA KEV: 2026-04-22 8 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2026-33825 is a high-severity local privilege escalation vulnerability affecting the Microsoft Defender Antimalware Platform [1]. Publicly referred to as "BlueHammer," the vulnerability was disclosed on April 14, 2026 [1] [6].

Key Details
FeatureDescription
Vulnerability TypeLocal Privilege Escalation (LPE) via a Time-of-Check to Time-of-Use (TOCTOU) race condition [1]
Root CauseInsufficient granularity of access control within Microsoft Defender's signature update and remediation logic [4] [1]
ImpactAllows an attacker with standard local access to elevate privileges to `NT AUTHORITY\SYSTEM` [1] [6]
RequirementsRequires existing, legitimate local access to the machine; no remote network exploitation is possible [1]
Exploitation and Threat Landscape
  • Active Exploitation: The vulnerability has been confirmed as being actively exploited in the wild [2].
  • Usage: It has been observed in targeted attacks, often used to escalate privileges after an initial foothold has been established on a system [2].
  • Exploit Availability: Proof-of-concept (PoC) material and exploitation techniques, specifically those abusing Defender’s remediation logic (often linked to the "BlueHammer" moniker), have been discussed and analyzed by security researchers [3].
  • Urgency: Due to its active exploitation, CISA issued a federal deadline (June 3, 2026) for agencies to remediate this vulnerability [2].
Mitigation Status
  • Patch Status: Microsoft addressed this vulnerability as part of the April 2026 Patch Tuesday security updates [5].
  • Recommendation: Organizations are strongly advised to ensure all systems are updated to the latest version of the Microsoft Defender Antimalware Platform to mitigate the risk of privilege escalation.

Sources

  1. CVE-2026-33825: CVE-2026-33825: Local Privilege Escalation via TOCTOU ...

    CVE-2026-33825, publicly referred to as BlueHammer, is a high-severity local privilege escalation vulnerability within the Microsoft Defender Antimalware Platform. The flaw stems from insufficient access control granularity and a Time-of-Check to Time-of-Use (TOCTOU) race condition during signature…

  2. CVE-2026-33825 deep-dive: The researcher commented out the full ...

    Two Microsoft Defender vulnerabilities actively exploited. One grants full SYSTEM access. CISA has a June 3 federal deadline. Here is what to ...

  3. BlueHammer & RedSun: Windows Defender CVE-2026-33825 Zero-day ...

    Learn how CVE-2026-33825 enables attackers to escalate privileges via Windows Defender. Picus explains how the BlueHammer exploit abuses Defender's remediation logic to achieve SYSTEM access. ... Learn how CVE-2026-33825 enables attackers to escalate privileges via Windows Defender. Picus explains h…

  4. CVE-2026-33825 Detail - NVD

    Description. Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally. Metrics. CVSS Version ... An official website of the United States government NVD MENU…

  5. Microsoft and Adobe Patch Tuesday, April 2026 Security Update ...

    CVE-2026-33825: Microsoft Defender Elevation of Privilege Vulnerability. Microsoft Defender is a comprehensive, AI-powered security suite ...

  6. Microsoft Defender 0-Day Vulnerability Enables Privilege Escalation Attack

    Disclosed on April 14, 2026, the flaw is tracked as CVE-2026-33825 and carries an “Important” severity rating. If successfully exploited, this elevation-of-privilege vulnerability allows an attacker to bypass standard permissions and gain full SYSTEM privileges on the affected machine. Defender 0-Da…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed