- CISA added BlueHammer, a Microsoft Defender privilege escalation flaw, to its catalog of known exploited vulnerabilities.
- Federal agencies have until May 6 to patch or stop the use when scientists confirmed active exploitation in the wild.
- The revelation came from “Chaotic Eclipse,” which also revealed two other Defender zero-days, with Huntress Labs linking exploit attempts to suspicious global infrastructure.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added BlueHammer to its catalog of known exploited vulnerabilities (KEV), giving Federal Civilian Executive Branch (FCEB) agencies a two-week deadline to patch or completely stop using the vulnerable software.
BlueHammer is described as an “insufficient granularity of access control in Microsoft Defender” that allows unauthorized attackers to elevate privileges locally. It is tracked as CVE-2026-33825 and received a severity score of 7.8/10 (high).
It was first revealed in early April this year by an apparently disgruntled security researcher with the alias “Chaotic Eclipse”. They published the vulnerability on their blog, as a zero-day at the time, because they were not satisfied with how Microsoft handles disclosures of vulnerabilities.
The article continues below
RedSun and unDefend
“I didn’t bluff Microsoft, and I’m doing it again,” they said, before sharing a GitHub repository for BlueHammer.
Microsoft responded by saying it has a “customer obligation to investigate reported security issues and update affected devices to protect customers as quickly as possible.”
“We also support coordinated vulnerability disclosure, a widely used industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community,” Microsoft said.
A week later, the same researcher revealed another zero-day vulnerability in Microsoft Defender. This one, called RedSun, is described as a local privilege escalation flaw that allows malicious actors SYSTEM privileges in the latest versions of Windows 10, Windows 11 and Windows Server where Defender is enabled.
They also released a third bug, called unDefend, which can apparently be exploited as a default user, to block Defender definition updates.
When CISA adds a vulnerability to KEV, it means it has evidence that it is being actively exploited in the wild. FCEB agencies have until May 6 to patch.
At the same time, security researchers from Huntress Labs said they have seen malicious actors exploit the flaws in the wild.
“The activity also appeared to be part of a broader intrusion rather than isolated proof-of-concept (PoC) testing,” the cybersecurity firm said in a report. “Huntress identified suspicious FortiGate SSL VPN access linked to the compromised environment, including a source IP geolocated to Russia, with additional suspicious infrastructure observed in other regions.”
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
