Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

BlueHammer

IdentifiersCVE-2026-33825CWE-284

CVE-2026-33825, also referred to as BlueHammer, is a local elevation of privilege vulnerability in Microsoft Defender. Microsoft describes it as an insufficient granularity of access control issue, and multiple supporting reports characterize the underlying bug as a TOCTOU race condition in Defender’s threat remediation engine. Successful exploitation allows an authorized local attacker to abuse Defender’s privileged remediation behavior and escalate privileges to SYSTEM. The flaw was publicly disclosed before patching, proof-of-concept exploit code was released, and exploitation in the wild was subsequently reported. Microsoft patched the issue in its April 2026 Patch Tuesday updates.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

An attacker who already has local code execution in a low-privilege context can elevate to SYSTEM on affected hosts where Microsoft Defender is enabled. This can result in full local compromise of the endpoint, including the ability to disable or tamper with defenses, access or modify protected data, install persistence, dump credentials, and use the compromised system for further lateral movement. The vulnerability was reported as actively exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities catalog.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching cannot be verified, prioritize ensuring Microsoft Defender is fully updated through automatic updates, validate endpoint coverage, and monitor for signs of local privilege escalation or abnormal Defender remediation behavior. Because the issue is local and requires prior access, reducing opportunities for unprivileged code execution, restricting local logon and execution paths, and hardening post-compromise controls can reduce exposure. No specific vendor mitigation beyond applying the update is provided in the content.

Remediation

Patch, then assume compromise.

Apply Microsoft’s April 2026 security update for CVE-2026-33825. Supporting content indicates the fix is delivered through Microsoft Defender updates and is automatically applied for customers with Defender automatic updates enabled. Organizations should verify that affected systems have received the relevant Defender engine/platform update and confirm patch coverage across endpoints.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (5 hidden).

VALID 1 / 6 TOTALView more in app
CVE-2026-33825MaturityPoCVerified exploit

Small Windows-focused exploit repository for CVE-2026-33825 containing a single substantive source file, src/main.cpp, built with CMake. The code is a local privilege-escalation style PoC rather than a remote exploit. It uses low-level Windows and NT native APIs from ntdll.dll, plus Cloud Files API headers/libraries, to manipulate filesystem objects, enumerate object-manager directories, and set reparse points/mount points. The exploit workflow appears to prepare filesystem redirection primitives, race or coerce privileged file operations, then open \??\C:\Windows\System32\TieringEngineService.exe with FILE_SUPERSEDE semantics. After successful overwrite/placement, it copies its own executable into %WINDIR%\System32\TieringEngineService.exe and invokes LaunchTierManagementEng() to trigger execution. Repository structure is minimal: CMakeLists.txt for building, a short README naming CVE-2026-33825, and one large C++ implementation file. No network communication, C2, or external URLs are present; the exploit is entirely local and centered on Windows filesystem/object-manager abuse and privileged binary planting.

Joe1snDisclosed May 2, 2026cppcmakelocal
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationDefenderapplication
Microsoft CorporationDefender Antimalware Platformapplication
Microsoft CorporationMicrosoft Defenderapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

121 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

121 SOURCESView more in app
cyber security newsNews
Jun 2, 2026
Microsoft MSRC Allegedly Dismissed Dependency Confusion Vulnerability, Claims Researcher - Cyber Security News

A specific Windows zero-day discussed as part of the Nightmare-Eclipse/Chaotic Eclipse set of six vulnerabilities tied to disputes over MSRC handling. The content states that three of those vulnerabilities were actively exploited before patches were available, but does not specify which three.

Read more
cyber security newsNews
Jun 1, 2026
Microsoft Clarifies It Won't Sue Security Researchers Amid Nightmare-Eclipse Controversy

A Windows zero-day publicly disclosed with working proof-of-concept exploit code; it targeted core Windows components and was later weaponized in real-world attacks, leading to inclusion in CISA's KEV catalog.

Read more
dark readingNews
Jun 1, 2026
Microsoft's Zero-Day Legal Threats Spark Backlash

A privilege-escalation vulnerability in Windows Defender that was publicly disclosed with PoC exploit code and is described as having been quickly exploited in the wild.

Read more
metasploit pull requestsNews
May 31, 2026
Add Windows Defender BlueHammer LPE exploit (CVE-2026-33825) by anasabugaddara-ux · Pull Request #21521 · rapid7/metasploit-framework · GitHub

A local privilege escalation vulnerability referred to as BlueHammer affecting Windows Defender, notable here because an exploit is being added to Metasploit.

Read more
+39 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence5

Every observed campaign linking this CVE to a named adversary.

Associated malware9

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity76

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-33825
NVD
nvd.nist.gov/vuln/detail/CVE-2026-33825
MITRE CWE · CWE-284
cwe.mitre.org
Vendor Advisory
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825
Third Party Advisory
huntress.com/blog/nightmare-eclipse-intrusion
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33825