A high-severity vulnerability in Microsoft Defender, tracked as CVE-2026-33825, allows attackers with low-level local access to escalate privileges to full SYSTEM control on Windows 10, Windows 11, and Windows Server systems, and CISA has now mandated that federal agencies patch it by May 6, 2026.
Microsoft Defender, the built-in antimalware solution installed by default on over a billion Windows devices worldwide, has been found to contain a critical access control flaw that attackers can weaponize to seize complete control of a vulnerable system.
Assigned a CVSS score of 7.8 (High) and classified under CWE-1220 (Insufficient Granularity of Access Control), CVE-2026-33825 was publicly disclosed on April 7, 2026, alongside a fully functional proof-of-concept (PoC) exploit dubbed “BlueHammer,” making it a true zero-day at the time of its release.
Microsoft Defender Flaw
CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on April 22, 2026, with a mandatory remediation deadline of May 6, 2026, under Binding Operational Directive (BOD) 22-01.
While exploitation in ransomware campaigns has not yet been confirmed, the vulnerability’s technical profile and the existence of public PoC code significantly elevate real-world risk.
At its core, CVE-2026-33825 stems from a Time-of-Check to Time-of-Use (TOCTOU) race condition inside Windows Defender’s threat remediation engine.
Defender performs privileged file operations during malware cleanup without adequately validating the target file path at the time of the write operation, creating a timing gap that an attacker can exploit.
The BlueHammer exploit chain works as follows:
- The attacker places a crafted file that triggers a Defender detection event
- When Defender initiates remediation, an opportunistic lock (oplock) is used to pause the file operation at a critical point
- During the pause, the attacker creates an NTFS junction point, redirecting Defender’s target path to
C:\Windows\System32 - When the oplock is released, Defender resumes under its SYSTEM-level privileges and writes to the redirected path, overwriting a legitimate system executable with a malicious payload.
- When the overwritten binary executes, the attacker achieves full SYSTEM-level code execution from an unprivileged account.
A second exploit technique, “RedSun”, was disclosed shortly after by security researchers. RedSun abuses Defender’s cloud file rollback mechanism when Defender detects a cloud-tagged file.
It attempts to restore it without validating the target path, allowing attackers to use the Windows Cloud Files API in combination with NTFS junctions to redirect writes to privileged directories.
Together, BlueHammer and RedSun, along with a third technique called “UnDefend” that degrades Defender’s update capability, expose systemic weaknesses in Defender’s architecture that threat actors can chain together for persistent compromise.
Affected Products
The vulnerability affects a broad range of Microsoft products:
| Product | Affected Versions |
|---|---|
| Windows 10 | All supported versions |
| Windows 11 | All supported versions |
| Windows Server | 2016, 2019, 2022, 2025 |
| Microsoft Defender Antimalware Platform | Versions prior to 4.18.26050.3011 (last vulnerable: 4.18.26020.6) |
Exploitation requires only local access with low privileges and no user interaction, meaning any attacker who has established even a basic foothold through phishing, a drive-by download, or a compromised insider account can immediately leverage this flaw to escalate to full SYSTEM control.
The business impact of CVE-2026-33825 extends well beyond a single endpoint compromise. Once an attacker escalates to SYSTEM-level privileges, they can turn off security tools, exfiltrate sensitive data, modify audit logs, and move laterally across enterprise networks.
Even organizations with robust perimeter defenses are exposed if a single internal endpoint is breached. Security researchers warn that this vulnerability is particularly dangerous when chained with other exploits, for instance.
An initial access broker could use a phishing lure to land on a system, then immediately leverage BlueHammer or RedSun to gain SYSTEM rights before endpoint detection tools can respond.
Reports indicate threat actors have already begun testing and deploying this exploit in real-world attacks, particularly targeting users who rely on Defender as their primary security layer.
The broader context is equally alarming: within a 13-day window in April 2026, three separate zero-day exploits targeting Windows Defender were publicly released, BlueHammer, UnDefend, and RedSun, signaling a coordinated or opportunistic surge in Defender-targeted research and exploitation.
Mitigation and Remediation
CISA’s directive under BOD 22-01 mandates that all Federal Civilian Executive Branch (FCEB) agencies apply vendor mitigations by May 6, 2026. Enterprise and private-sector organizations should treat this deadline as a best-practice benchmark.
Recommended immediate actions include:
- Apply the April 2026 Patch Tuesday security update, and upgrade Microsoft Defender Antimalware Platform to version 4.18.26050.3011 or later
- Verify that automatic updates are enabled for Microsoft Defender and confirm that platform/signature versions are up to date across all endpoints.
- Deploy EDR monitoring rules to detect unusual Defender file write activity and NTFS junction creation.
- Implement application control policies (e.g., Windows Defender Application Control / AppLocker) to reduce the blast radius of privilege escalation attempts.
- Audit local access accounts and enforce least-privilege principles to limit the pool of users who could exploit the flaw.
- If patching is not immediately possible, consider isolating affected endpoints or discontinuing Defender use on critical systems until mitigations are applied.
FAQ
Q1: What is CVE-2026-33825?
It is a high-severity (CVSS 7.8) local privilege escalation vulnerability in Microsoft Defender, caused by insufficient access control granularity (CWE-1220), that allows a low-privileged attacker to gain full SYSTEM-level access on Windows systems.
Q2: Is CVE-2026-33825 actively exploited in ransomware campaigns?
The exploitation status is currently listed as “unknown” for ransomware use, but public PoC code exists, and threat actors have been observed testing the exploit in real-world environments.
Q3: Which Microsoft Defender version fixes CVE-2026-33825?
Updating the Microsoft Defender Antimalware Platform to version 4.18.26050.3011 or later, released as part of the April 2026 Patch Tuesday update, remediates the vulnerability.
Q4: What is CISA’s remediation deadline for CVE-2026-33825?
CISA added CVE-2026-33825 to the KEV Catalog on April 22, 2026, and requires all FCEB agencies to apply mitigations by May 6, 2026, per BOD 22-01 guidance.
Site: thecybrdef.com
About the Author
