A recent vulnerability in Microsoft Defender has been actively exploited as a zero-day, causing concern among cybersecurity professionals. The flaw, identified as CVE-2026-33825 with a CVSS score of 7.8, was disclosed by a researcher known as Chaotic Eclipse on April 2. It involves a privilege escalation bug due to insufficient access control, and a proof-of-concept exploit was made publicly available, intensifying interest in its application. Dubbed BlueHammer, this vulnerability uses a time-of-check to time-of-use (TOCTOU) exploit in Defender's signature update mechanism, allowing attackers with low privileges to escalate to System permissions.

Huntress, a cybersecurity firm, reported that the first attacks using this public proof-of-concept were detected on April 10, with more activity observed shortly after. Attackers accessed systems through FortiGate SSL VPNs and deployed three techniques: BlueHammer, RedSun, and UnDefend. BlueHammer exploits Defender's signature updates to access the Security Account Manager database, while RedSun manipulates system files to gain privileges. UnDefend disrupts Defender by locking definition files, hindering its operation.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by adding CVE-2026-33825 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply the patch by May 6. Though initial attacks were not entirely successful, they highlight the urgency for organizations to reassess their security postures and swiftly implement the available patch to protect their networks.