- CISA has added BlueHammer, a Microsoft Defender privilege escalation vulnerability, to its catalog of known exploited vulnerabilities.
- Federal agencies have until May 6 to correct or halt its use after researchers have confirmed active exploitation in the wild.
- The disclosure came from “Chaotic Eclipse,” which also revealed two other zero-day defenders, with Huntress Labs linking exploitation attempts to suspicious global infrastructure.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added BlueHammer to its Catalog of Known Exploited Vulnerabilities (KEVs), giving Federal Civilian Executive Branch (FCEB) agencies a two-week deadline to update or completely stop using the vulnerable software.
BlueHammer is described as an “insufficient access control granularity vulnerability in Microsoft Defender”, which allows unauthorized attackers to elevate privileges locally. It is tracked as CVE-2026-33825 and received a severity score of 7.8/10 (high).
It was first leaked in early April this year, by an apparently disgruntled security researcher under the pseudonym “Chaotic Eclipse.” They posted the vulnerability on their blog, as a zero day at the time, because they were unhappy with how Microsoft handled vulnerability disclosures.
Article continues below
RedSun and unDefend
“I didn’t bluff Microsoft and I’m doing it again,” they said before sharing a GitHub repository for BlueHammer.
Microsoft responded by saying it was committed “to our customers to investigate reported security issues and update affected devices to protect customers as soon as possible.”
“We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure that issues are thoroughly investigated and resolved before public disclosure, supporting both customer protection and the security research community,” Microsoft said.
A week later, the same researcher revealed another zero-day vulnerability in Microsoft Defender. This one, called RedSun, is described as a local privilege escalation flaw that grants malicious actors SYSTEM privileges in the latest versions of Windows 10, Windows 11, and Windows Server, where Defender is enabled.
They also released a third flaw, called unDefend, which can apparently be exploited as a standard user, to block Defender definition updates.
When CISA adds a vulnerability to KEV, it means they have evidence that it is actively exploited in the wild. FCEB agencies have until May 6 to patch.
At the same time, security researchers at Huntress Labs said they have seen bad actors abuse vulnerabilities in the wild.
“The activity also appears to be part of a broader intrusion rather than isolated proof-of-concept (PoC) testing,” the cybersecurity firm said in a report. “Huntress identified suspicious FortiGate SSL VPN access linked to the compromised environment, including a geolocated source IP address in Russia, with additional suspicious infrastructure observed in other regions.”
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
