GoKawiilCISA confirmed on Monday that ransomware gangs have begun exploiting a high-severity Microsoft Defender privilege escalation vulnerability that has previously been abused in zero-day attacks.
Dubbed BlueHammer, the security flaw (CVE-2026-33825) was leaked by a security researcher known as "Nightmare Eclipse" in early April, together with proof-of-concept exploit code, in protest at how the Microsoft Security Response Center (MSRC) handles the disclosure process.
"Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally," Microsoft explains in a security advisory.
Will Dormann, principal vulnerability analyst at Tharros, told BleepingComputer in April that while the issue is not easy to exploit, it gives local attackers access to the Security Account Manager (SAM) database, which contains password hashes for local accounts.
With this access, they can escalate to SYSTEM privileges and potentially take complete control of the targeted system.
βAt that point, [the attackers] basically own the system, and can do things like spawn a SYSTEM-privileged shell,β Dormann said.
Exploit demo (Will Dormann)
Microsoft patched the vulnerability on April 14 as part of the April 2026 Patch Tuesday. However, days later, Huntress Labs security researchers revealed that threat actors had been exploiting it as a zero-day in attacks that showed evidence of "hands-on-keyboard threat actor activity."
Over the past several months, Nightmare Eclipse has disclosed multiple other Windows zero-day exploits, including for the RoguePlanet, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend flaws.
Some of these vulnerabilities affect Microsoft Defender, while others target BitLocker and Windows components.
... continue reading