Microsoft Defender Flaws Used

Windows defenders are rushing to patch a Microsoft Defender flaw that attackers have used to jump from a limited foothold to full SYSTEM control on a PC. (cisa.gov) The bug is tracked as CVE-2026-33825, an elevation-of-privilege flaw in Microsoft Defender that Microsoft patched on April 14, 2026. Microsoft rates it “Important,” with a CVSS score of 7.8. (msrc.microsoft.com, crowdstrike.com) In plain terms, elevation of privilege means an attacker who already has some code running on a machine can promote that access to the highest local level, SYSTEM. CrowdStrike said the flaw lets a local attacker with low privileges gain SYSTEM rights without user interaction. (crowdstrike.com, rapid7.com) CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog on April 22, 2026, a step the agency reserves for bugs with confirmed in-the-wild exploitation. Federal civilian agencies must remediate KEV-listed flaws by the deadline CISA assigns under Binding Operational Directive 22-01. (cisa.gov, cisa.gov) Independent researchers have tied public exploit tooling called BlueHammer to this Defender bug, and Huntress said it saw BlueHammer, RedSun and related “Nightmare-Eclipse” tooling during a real intrusion investigation in mid-April 2026. Tenable said public code for BlueHammer appeared on GitHub before the patch. (huntress.com, tenable.com) That sequence matters because Defender is Microsoft’s built-in antivirus on a huge share of Windows systems, so a local privilege-escalation bug in the security product itself can turn a partial compromise into device takeover. Rapid7 said successful exploitation leads to SYSTEM privileges and should be patched quickly. (rapid7.com, microsoft.com) Microsoft’s April 2026 Patch Tuesday was unusually large, covering 163 Microsoft CVEs by Tenable’s count, and CVE-2026-33825 was one of two zero-days in that release. The other, a SharePoint spoofing flaw, was the one Microsoft said was already under active attack when patches shipped. (tenable.com, crowdstrike.com) For defenders, patching is only the first step. Microsoft says Defender for Endpoint includes reports that show suspicious or malicious activity, and Defender Vulnerability Management’s event timeline highlights when vulnerabilities become exploitable or newly relevant to an organization’s risk. (learn.microsoft.com, learn.microsoft.com) Tenable said affected systems should be updated to Microsoft Defender Antimalware Platform version 4.18.26030.3011 or later. For security teams that have not patched yet, the practical question is no longer whether the flaw is public, but whether someone has already used it after getting in. (tenable.com, cisa.gov)