Cybersecurity

BlueHammer (CVE-2026-33825): The Microsoft Defender Flaw Now Used in Ransomware

CISA has flagged BlueHammer (CVE-2026-33825), a Microsoft Defender privilege-escalation vulnerability, as exploited in ransomware attacks. Here's what the flaw does, whether you're patched, and why patching alone doesn't fully close it.

Waqas Ahmed Waseer
Waqas Ahmed Waseer Jul 8, 2026 8 min read
BlueHammer (CVE-2026-33825): The Microsoft Defender Flaw Now Used in Ransomware

CISA has updated its Known Exploited Vulnerabilities catalog to flag BlueHammer, tracked as CVE-2026-33825, as now being used in ransomware campaigns. It's a local privilege-escalation flaw in Microsoft Defender itself: an attacker who already has a foothold on a Windows machine can abuse Defender's own file-remediation logic to escalate from a normal user to SYSTEM. If your Windows fleet took the April 2026 patches you're covered against this specific bug, but the story is messier than a single CVE, and the mitigation is not just "patch and forget."

The uncomfortable part is where the flaw lives. BlueHammer turns the tool that's supposed to protect the endpoint into the mechanism that hands over the endpoint. For defenders that inverts a normal assumption: the antivirus process running as SYSTEM becomes the ladder an attacker climbs, not the thing stopping them.

What is the BlueHammer vulnerability?

BlueHammer is a local privilege-escalation (LPE) vulnerability in Microsoft Defender Antivirus, assigned CVE-2026-33825 with a CVSS score of 7.8. It is not a remote exploit; an attacker needs to already run code on the machine as a low-privileged user. What it buys them is the top prize on a single host: SYSTEM-level control.

The mechanism is a time-of-check to time-of-use (TOCTOU) race condition in Defender's remediation workflow. As Picus Security's technical breakdown describes it, the exploit plants a file that triggers Defender detection, uses a batch opportunistic lock (oplock) to freeze Defender mid-operation, then swaps an NTFS junction under the target path so that when Defender resumes and writes with its SYSTEM privileges, the write lands somewhere the attacker chose. In practice that's used to reach the SAM registry hive and pull NTLM password hashes, which enables a pass-the-hash takeover of local administrator accounts. No kernel exploit, no memory corruption, just Defender's own privileged file handling turned against it.

Severity of 7.8 (High) rather than critical reflects that local access is a prerequisite. But privilege escalation is exactly the step ransomware crews need after an initial phish or a stolen credential, which is why CISA's ransomware flag matters more than the base score suggests.

Why this is news now

BlueHammer didn't arrive through the normal coordinated-disclosure channel. In early April 2026 a researcher going by "Nightmare Eclipse" leaked the flaw along with working proof-of-concept exploit code, reportedly in protest at how Microsoft's Security Response Center handles disclosure. That made it a true zero-day: a public, weaponized exploit existed before a fix did.

The timeline since then:

Date (2026)Event
Early April"Nightmare Eclipse" leaks the flaw + PoC exploit code publicly
April 14Microsoft ships the fix in Patch Tuesday as CVE-2026-33825
April 22CISA adds CVE-2026-33825 to the Known Exploited Vulnerabilities catalog
Early MayFederal (FCEB) remediation deadline under the two-week KEV rule
Late JuneCISA updates the KEV entry to flag the flaw as used in ransomware

The late-June update is the fresh development. CISA has now marked CVE-2026-33825 as "known to be used in ransomware campaigns" in its catalog. Notably, Microsoft's own advisory still doesn't confirm in-the-wild exploitation and rates it "Exploitation More Likely" rather than "Detected" — so there's daylight between what CISA is seeing operationally and what the vendor will formally attest. No specific ransomware group has been named publicly yet.

Are you exposed? How to check

BlueHammer affects Microsoft Defender Antivirus on all supported Windows desktop and server builds — Windows 10, Windows 11, and Windows Server 2016, 2019, 2022 and 2025 — on any system running the Defender platform from before the April 2026 update. Practical checks for an administrator:

  • Confirm the April 2026 (or later) cumulative update is installed. The Defender-specific fix rode the April 14 Patch Tuesday. A fleet that's current on monthly patches is protected against CVE-2026-33825 specifically.
  • Check the Defender platform version, not just the OS build. Defender's antimalware platform and engine update out-of-band from Windows. Get-MpComputerStatus in PowerShell shows AMProductVersion and AMEngineVersion; verify they reflect a post-April 2026 release.
  • Prioritize machines where users run unprivileged but locally. LPE only matters where an attacker can already execute code as a normal user — shared workstations, RDP/VDI hosts, and developer boxes are the high-value targets here.
  • Cross-reference the KEV deadline if you're a federal or contract-bound org. The BOD 22-01 clock on this one already ran in early May; an unpatched host now is both a security and a compliance problem.

If you can't confirm patch status across the estate quickly, that gap is worth closing this week. The same discipline applies every month — our writeup of the June 2026 Patch Tuesday and its six zero-days is a reminder of how fast the exploited-in-the-wild list turns over.

The catch: patching BlueHammer doesn't close the whole hole

Here's the detail most single-CVE coverage skips. BlueHammer shipped with siblings. Security researchers documented two closely related Defender abuse techniques — RedSun and UnDefend — being used in the wild alongside it, and they don't all die with the April patch.

  • RedSun uses the same family of tricks (Cloud Files API, oplocks, directory junctions) but targets a different service, TieringEngineService.exe, and baits Defender's real-time engine with an embedded EICAR test string to trigger a remediation cycle it then redirects. Crucially, RedSun has been reported to still work on fully patched Windows 10, 11 and Server 2019+ even after the April updates.
  • UnDefend isn't a privilege-escalation exploit at all. It progressively degrades Defender's detection fidelity by interfering with its definition-update mechanism — a quiet, post-exploitation move to blind the endpoint before the next stage.

The takeaway: patching CVE-2026-33825 is necessary but not sufficient. The underlying pattern — abusing a SYSTEM-privileged security agent's file operations via junctions and oplocks — is a class of technique, and the class isn't fully patched. That's the argument for behavioral detection on top of patching.

What to actually do

Patch first, then add detection for the technique rather than the single signature. Based on the behavioral indicators researchers have published, watch your EDR/SIEM for:

  • Unexpected SYSTEM-level writes into user-writable directories, especially following file operations attributed to Defender.
  • NTFS junction / directory-reparse-point creation by non-admin processes in paths Defender remediates.
  • Defender update suppression or sudden drops in definition freshness across endpoints — a possible UnDefend footprint.
  • Classic pre-escalation reconnaissance like whoami /priv from unprivileged sessions immediately before Defender-related activity.

Because the whole point of this flaw class is that the attacker already has a local foothold, it also reinforces the case for reducing what a single compromised endpoint can reach. Network segmentation and identity-first access controls limit the blast radius of a SYSTEM takeover — the same logic behind moving off flat networks that we covered in Zero Trust vs VPN in 2026. And if this feels familiar, it's the same shape as other 2026 local-root bugs like the Bad Epoll Linux kernel flaw: the perimeter holds, but the box under attacker code is one primitive away from full control.

FAQ

What is CVE-2026-33825 (BlueHammer)? It's a local privilege-escalation vulnerability in Microsoft Defender Antivirus, CVSS 7.8. By abusing a TOCTOU race in Defender's file-remediation logic (using oplocks and NTFS junctions), a low-privileged attacker can redirect Defender's SYSTEM-level writes and escalate to SYSTEM, ultimately pulling NTLM hashes from the SAM database.

Is BlueHammer being exploited in ransomware attacks? CISA has updated its Known Exploited Vulnerabilities catalog to mark CVE-2026-33825 as used in ransomware campaigns. Microsoft's advisory has not formally confirmed in-the-wild exploitation and rates it "Exploitation More Likely." No specific ransomware group has been publicly named.

Is there a patch for BlueHammer? Yes. Microsoft fixed CVE-2026-33825 in the April 14, 2026 Patch Tuesday. Any Windows system on the April 2026 or later Defender platform is protected against this specific CVE. Confirm both the OS cumulative update and the Defender antimalware platform version.

Does patching fully protect me from these Defender attacks? Not entirely. Related techniques documented alongside BlueHammer — notably RedSun — have been reported to still work on fully patched systems, and UnDefend degrades Defender's detection rather than escalating privileges. Patch, then add behavioral detection for junction/oplock abuse and unexpected SYSTEM writes.

Who is affected by CVE-2026-33825? Microsoft Defender Antivirus on Windows 10, Windows 11, and Windows Server 2016, 2019, 2022 and 2025, on any host running a pre-April-2026 Defender platform. Because it requires local code execution, shared workstations, RDP/VDI hosts and developer machines are the highest-priority targets.

Sources

Some links may earn us a commission at no extra cost to you.

Waqas Ahmed Waseer

Waqas Ahmed Waseer

Waqas Ahmed Waseer is a developer and automation builder with 8+ years shipping production systems used by 100k+ people. He builds custom multi-tenant SaaS, AI automation (n8n, LLM workflows, WhatsApp bots) and hosting infrastructure (WHM/cPanel, CloudLinux) — and is the maker of WaSphere, FlowMaticX, and the WaseerHost hosting brand. 100+ projects delivered for SMBs, agencies and funded startups.

Related

More in Cybersecurity

View all

Discussion · 0

Be kind. Comments are public.

    Newsletter · Monday edition

    The Monday brief.

    One email every Monday morning. The week ahead in AI, startups, hosting and dev tools — no fluff, no sponsored bait.

    Free. Unsubscribe in one click.