CVE: CVE-2026-33825 | CVSS: 7.8 (HIGH) | Vendor: Microsoft | Product: Microsoft Defender

What Is the Vulnerability

CVE-2026-33825, dubbed “BlueHammer” by security researchers, is a local privilege escalation vulnerability in Microsoft Defender that allows an attacker with low-privilege code execution to escalate to SYSTEM — the highest privilege level on Windows. Because Microsoft Defender ships with every modern Windows installation and runs with elevated privileges by design, this vulnerability exposes virtually every unpatched Windows system through its own built-in antivirus.

The flaw resides in how Defender handles certain inter-process communications and file operations during real-time scanning. A sophisticated attacker can trigger a race condition or a symbolic link planting attack that causes Defender to perform file operations in attacker-controlled directories as SYSTEM, enabling arbitrary code execution at the highest integrity level.

The irony is stark: the very software designed to protect Windows systems becomes the most reliable privilege escalation vector on the platform.

Versions Affected

• Microsoft Defender on all supported versions of Windows 10 and Windows 11 (prior to April 2026 patches)
• Windows Server 2016, 2019, 2022 (prior to April 2026 patches)
• Microsoft Defender for Endpoint (all platforms, pre-April 2026)

Exploited?

Yes — active exploitation confirmed. A proof-of-concept exploit was publicly released in early April 2026, shortly after the vulnerability was disclosed. Microsoft issued a patch on April 14, 2026. The Cybersecurity and Infrastructure Security Agency (CISA) added BlueHammer to its Known Exploited Vulnerabilities (KEV) catalog on April 22, 2026, mandating all federal civilian agencies to patch within 21 days.

As of late June 2026, CISA has confirmed ransomware campaigns actively weaponizing BlueHammer in the wild. The typical attack chain:

1. Initial access: Phishing, compromised credentials, or unpatched perimeter services.
2. Local foothold: Attacker gains low-privilege code execution (standard user).
3. BlueHammer escalation: Exploit CVE-2026-33825 to elevate to SYSTEM.
4. Ransomware deployment: With SYSTEM privileges, deploy ransomware across the environment, disable security tools, and exfiltrate data.

Despite the patch being over 10 weeks old, tens of thousands of systems remain vulnerable. Organizations that have deferred April 2026 Windows updates are directly exposed.

Fix

Apply the April 2026 Windows security updates. No workaround or mitigation is available — the only remediation is patching. Microsoft has not released any out-of-band or supplementary guidance beyond the standard April Patch Tuesday updates.

Recommendations

• Patch immediately: This is the single most critical action. Any unpatched Windows system is vulnerable through its own Defender installation.
• Audit patch compliance: Scan your environment for systems missing the April 2026 cumulative update. Prioritize internet-facing and high-value assets.
• Detect exploitation: Monitor for unexpected SYSTEM-level process creation from Defender binaries, unusual file operations in temporary directories, and anomalous inter-process communication patterns.
• Assume compromise: If patching has been deferred and no detection controls were in place, conduct a compromise assessment — particularly looking for lateral movement and credential theft originating from unpatched endpoints.
• Review CISA KEV catalog: BlueHammer is one of multiple actively exploited vulnerabilities this quarter. Ensure all KEV-listed CVEs are addressed.

References

• Microsoft Security Response Center — CVE-2026-33825
• CISA Known Exploited Vulnerabilities Catalog
• CISA Advisory on BlueHammer Ransomware Campaigns (June 2026)

Part of the Vulnerability Intelligence series. See the June 30, 2026 VIR.