ScoutGet the App

CVE-2026-33825 dominates coverage

- CISA on April 22 added CVE-2026-33825, a Microsoft Defender privilege-escalation flaw, to its Known Exploited Vulnerabilities list after evidence of active attacks using the bug on Windows systems. - NIST says the flaw carries a CVSS 7.8 score and affects Microsoft Defender Antimalware Platform versions earlier than 4.18.26030.3011, letting an authorized local attacker gain higher privileges. - Huntress said public BlueHammer exploit code tied to CVE-2026-33825 moved from release to a real intrusion within weeks, pushing agencies to patch by May 6. (huntress.com)

CVE-2026-33825 is a Microsoft Defender flaw that CISA moved onto its Known Exploited Vulnerabilities list on April 22 after finding evidence of active exploitation. (cisa.gov) The bug is an elevation-of-privilege issue in Microsoft Defender. In plain terms, it can let a logged-in attacker turn a low-level foothold on a Windows machine into much broader control. (nvd.nist.gov) NIST lists the issue as CVSS 7.8 high severity and says it affects Microsoft Defender Antimalware Platform versions earlier than 4.18.26030.3011. The attack requires local access and low privileges, but no user interaction. (nvd.nist.gov) CISA’s catalog entry gives federal civilian agencies until May 6, 2026, to remediate it under Binding Operational Directive 22-01. CISA also urged all organizations, not just federal agencies, to prioritize fixes for KEV-listed bugs. (nvd.nist.gov) (cisa.gov) The exploit is widely referred to as BlueHammer in public reporting. Huntress said the tool was released publicly on April 2, 2026, and Microsoft shipped a patch for the underlying flaw in its April 2026 updates. (huntress.com) Huntress said it then saw BlueHammer used in a live intrusion investigation, alongside two other Defender-focused tools called RedSun and UnDefend. In that case, the suspected initial access point was a FortiGate Secure Sockets Layer virtual private network login using valid credentials. (huntress.com) That sequence is what pushed the flaw to the top of security teams’ patch queues: public proof-of-concept code, observed real-world abuse, and a federal remediation deadline all landed within the same April window. (huntress.com) (cisa.gov) The flaw is not a remote break-in by itself. It becomes dangerous after an attacker already has a user account, stolen credentials, or some other way onto the machine, because it can raise that access to SYSTEM-level control. (nvd.nist.gov) (huntress.com) Huntress said BlueHammer abuses a time-of-check, time-of-use race condition in Defender’s file operations. That means the software checks one thing, acts a split second later, and an attacker changes the target in between. (huntress.com) The immediate response is narrow and concrete: update Defender, review remote-access logs, and investigate suspicious binaries launched from user-writable folders. The closing date on CISA’s order is May 6, and the reason is simple: this one has already been used. (nvd.nist.gov) (cisa.gov) (huntress.com)

Get your own daily briefing

Scout delivers personalized news, insights, and conversations tailored to your role and industry.

Download on the App Store

Shared from Scout - Be the smartest in the room.