Microsoft Defender Zero-Day “BlueHammer” Hits KEV Catalog Following Researcher’s Protest

CISA has officially added a fresh vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild. The flaw, tracked as CVE-2026-33825—and colloquially dubbed BlueHammer—targets Microsoft Defender’s access control mechanisms.

The emergence of BlueHammer is tied to a dramatic friction between the research community and big tech. A researcher known as “Chaotic Eclipse” (or “Nightmare-Eclipse”) released proof-of-concept (PoC) code for the flaw as a form of protest. The researcher cited frustration with how the Microsoft Security Response Center (MSRC) handled the initial disclosure process.

Huntress Labs recently reported that all three of the researcher’s exploits—BlueHammer, RedSun, and UnDefend—have been spotted in active attacks. Specifically, BlueHammer has been under fire since April 10.

Security analyst Will Dormann confirmed the exploit’s efficacy, noting that it is a Local Privilege Escalation (LPE) flaw. The vulnerability functions by combining two classic exploitation techniques:

• TOCTOU (Time-of-Check to Time-of-Use): A race condition where the system checks a file or resource, but the attacker swaps it out before the system actually uses it.
• Path Confusion: Tricking the application into accessing a file in a location it wasn’t intended to touch.

By successfully navigating these hurdles, an attacker can gain access to the Security Account Manager (SAM) database. This database contains the password hashes for local accounts. Once an attacker has this, they can escalate to SYSTEM privileges, effectively taking full control of the machine.

Threat actors have been seen using “hands-on-keyboard” tactics, gaining initial entry through compromised SSLVPN users and then deploying the trio of exploits.

While Microsoft addressed BlueHammer in the April 2026 security updates, the RedSun and UnDefend flaws remain unaddressed at this time.

Because this flaw poses a significant risk to enterprise environments, CISA has set a strict deadline. Federal Civilian Executive Branch (FCEB) agencies are required to remediate CVE-2026-33825 by May 6, 2026.