CVE-2026-33825

What is Microsoft Defender?

Microsoft Defender (formerly Windows Defender) is the built-in antimalware and endpoint protection platform included with every installation of Windows 10, Windows 11, and Windows Server 2019 and later. Its core component — the Microsoft Defender Antimalware Platform (MsMpEng.exe) — runs as a SYSTEM-privileged service and is responsible for scanning files, remediating detected threats, and enforcing real-time protection.

Because Defender runs with the highest privilege level on every modern Windows system and performs privileged file operations as part of its normal security function, vulnerabilities in its remediation engine are particularly dangerous: an attacker exploiting Defender itself turns the security tool into an escalation vector. Defender is enabled by default on essentially every Windows endpoint that hasn't deployed a third-party AV — making the attack surface essentially the entire Windows ecosystem.

Overview

CVE-2026-33825 is a local privilege escalation (LPE) vulnerability in Microsoft Defender, publicly known as BlueHammer. The flaw is rooted in a time-of-check to time-of-use (TOCTOU) race condition in Defender's threat remediation engine. When Defender detects and remediates a malicious file, it performs privileged file operations under SYSTEM-level authority. By exploiting a race window in the path validation logic — using Windows filesystem primitives (oplocks and directory junctions) — a low-privileged attacker can redirect those SYSTEM-level writes to an arbitrary location, overwriting legitimate system binaries with attacker-controlled payloads. When the overwritten binary is subsequently executed by the system, the attacker achieves full SYSTEM-level code execution.

CVE-2026-33825 was disclosed alongside two related, as-yet-unpatched Defender flaws ("RedSun" and "UnDefend") by the researcher known as Chaotic Eclipse, who criticized Microsoft's handling of all three issues.

Affected Versions

The Antimalware Platform version is separate from Windows version. It updates automatically through Windows Update and Microsoft Defender definition updates — no manual download is typically required. Organizations with restricted update policies or managed Windows environments should verify the platform version explicitly.

To check your Antimalware Platform version:

• Open Windows Security → Virus & threat protection → Virus & threat protection updates → scroll to "Antimalware platform" version
• Or run: Get-MpComputerStatus | Select-Object AMProductVersion in PowerShell

Technical Details

BlueHammer Exploit: TOCTOU Race in Defender's Remediation Engine

The vulnerability exploits a time-of-check to time-of-use (TOCTOU) flaw in how Microsoft Defender handles file paths during malware cleanup:

1. Detection phase: Defender's SYSTEM-privileged MsMpEng.exe process detects a file flagged as malicious and initiates remediation
2. Path validation: Defender checks the file path before beginning the privileged write operation
3. Race window: Between the path check and the actual write, there is a brief window during which the attacker can alter the filesystem state
4. Oplock exploitation: The attacker places an opportunistic lock (oplock) on a file in the path. When Defender opens this file, the oplock pauses Defender's operation and notifies the attacker
5. Junction swap: While Defender is paused, the attacker replaces a directory in the path with a directory junction (a symlink-like filesystem construct on Windows) pointing to a privileged system directory
6. Redirected write: When the oplock is released, Defender resumes — but now follows the junction and writes to the attacker-controlled redirected location, under its full SYSTEM privileges
7. Overwrite and execute: The attacker's chosen target is a legitimate system service binary. Once overwritten with a malicious payload and the service is restarted, the attacker achieves SYSTEM-level code execution

This technique requires only low user privileges — it does not require administrative access or any social engineering of a privileged user.

Attack Chain Context: BlueHammer + RedSun + UnDefend

CVE-2026-33825 (BlueHammer) was disclosed as part of a cluster of three Defender zero-days revealed within a 13-day window in April 2026:

RedSun abuses Defender's cloud-file rollback mechanism: when Defender detects a cloud-tagged file, it attempts to restore the file to its original location without validating the target path, allowing an attacker to redirect the write into a privileged system directory — achieving the same SYSTEM overwrite result as BlueHammer via a different code path.

UnDefend allows a standard (non-admin) user to block Defender from receiving definition updates, gradually degrading its ability to detect new threats — effectively impairing the host's endpoint protection over time.

Together, the three exploits describe a playbook: escalate privileges (BlueHammer or RedSun), then blind the defender (UnDefend) to cover subsequent activity.

Discovery

CVE-2026-33825 was discovered and publicly disclosed by security researcher Chaotic Eclipse, who released the exploit under the name BlueHammer. The researcher disclosed all three vulnerabilities (BlueHammer, RedSun, UnDefend) publicly, criticizing Microsoft's response and patch timeline for the unpatched variants. The disclosure included working proof-of-concept code, which was quickly weaponized.

Security researcher Will Dormann independently confirmed the BlueHammer exploit was functional on fully patched pre-fix Windows systems.

Exploitation Context

CISA added CVE-2026-33825 to the KEV catalog on April 22, 2026 — eight days after the initial disclosure — based on evidence of active exploitation in the wild.

Huntress observed real-world exploitation artifacts in customer environments: binaries staged in low-privilege user directories, including:

• Pictures\ folders
• Two-letter subfolders within Downloads\

Filenames observed included those from the original PoC repositories (FunnyApp.exe, RedSun.exe) as well as renamed variants (z.exe), indicating both direct use of public PoC tooling and early customization by threat actors.

The PoC's widespread availability through researcher channels and underground forums accelerated weaponization, with exploitation activity observed within days of the April 14 disclosure. Microsoft assessed the exploitability as "Exploitation More Likely" in its MSRC advisory — a designation reserved for vulnerabilities where Microsoft assesses functional exploit code will be produced.

Remediation

1. Verify Microsoft Defender Antimalware Platform version — ensure all Windows endpoints are running version 4.18.26030.3011 or later. Check via PowerShell: Get-MpComputerStatus | Select-Object AMProductVersion

2. Ensure Windows Update and Defender definition updates are not blocked — the Antimalware Platform update is delivered through Windows Update and Defender's automatic update mechanism. Organizations using WSUS, SCCM/Intune, or GPO-based update controls should verify that platform updates are approved and flowing. Check for:

   • Group Policy: Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus
   • WSUS/Intune: confirm Defender definition update approvals are not restricted

3. For air-gapped or update-restricted environments: manually deploy the updated platform package from Microsoft's Antimalware Platform update baseline page.

4. Hunt for exploitation indicators: search endpoints for binaries in %USERPROFILE%\Pictures\, %USERPROFILE%\Downloads\[two-letter folder]\ named FunnyApp.exe, RedSun.exe, z.exe, or other unusual executables in user-writable directories. Investigate any recent unexpected service binary replacements or privilege escalation events in EDR telemetry.

5. Monitor for the unpatched companion flaws (RedSun, UnDefend): while no CVE or patch existed at time of disclosure, watch vendor advisories and apply patches when available. Defender definition update disruption (UnDefend) can be detected by monitoring MpCmdRun.exe and Defender update event logs for unexplained update failures on healthy endpoints.