CVE-2026-33825: Microsoft Defender 'BlueHammer' LPE

Executive Summary

In April 2026, the cybersecurity landscape was disrupted when a security researcher operating under the alias Chaotic Eclipse (aka Nightmare-Eclipse) published three fully functional zero-day exploits targeting Windows Defender: BlueHammer, RedSun, and UnDefend. This public disclosure was an act of protest against Microsoft’s vulnerability handling process.

CVE-2026-33825 corresponds to the BlueHammer exploit. It is a critical Local Privilege Escalation (LPE) vulnerability (CVSS 7.8) rooted in a race condition within Defender’s threat remediation engine. Due to insufficient granularity of access control (CWE-1220), an authenticated local attacker can manipulate file operations during a malware quarantine event to elevate their privileges from a standard user to NT AUTHORITY\SYSTEM.

Security firms, including Huntress Labs, have confirmed that threat actors are actively using the BlueHammer PoC in live intrusions, executing it after initial network reconnaissance to achieve full endpoint compromise.

Technical Analysis of “BlueHammer”

The vulnerability exists in how the Defender service (MsMpEng.exe), which executes with SYSTEM privileges, performs file operations during the cleanup or quarantine of a detected malicious file.

When Defender detects a threat, it begins remediation. However, it performs privileged file operations without validating the target path at the exact time of the write operation, creating a classic Time-of-Check to Time-of-Use (TOCTOU) vulnerability.

The BlueHammer exploit weaponizes this by forcing Defender to detect a dummy malicious file. As Defender attempts to remediate it, the exploit uses an opportunistic lock (oplock) to pause the operation mid-flight. During this pause, the attacker inserts an NTFS junction point, redirecting the write operation from the temporary user directory to a protected system directory like C:\Windows\System32. When the oplock is released, Defender blindly writes the attacker’s payload into the protected path as SYSTEM.

Exploitation Flow

Based on the publicly available PoC and incident response observations, the attack chain unfolds as follows:

Initial Access & Recon: The threat actor gains standard user access (e.g., via compromised SSLVPN credentials) and performs basic enumeration (whoami /priv, net group).
Bait Placement: The attacker drops the BlueHammer exploit binaries into a standard directory (e.g., Downloads or Pictures) and renames them to avoid suspicion.
Triggering Remediation: The exploit drops a known malware signature (like an EICAR string) to force MsMpEng.exe to initiate a quarantine action.
Oplock & Junction Abuse: The exploit pauses the Defender process using an opportunistic lock and swaps the directory with an NTFS junction pointing to C:\Windows\System32.
System Compromise: Defender resumes and moves an attacker-controlled DLL or binary into the protected directory, which is subsequently executed to grant a SYSTEM shell.

Forensic Investigation (CSIRT)

Investigating BlueHammer (and its sibling RedSun) requires hunting for precise file system anomalies surrounding the Defender service.

Suspicious Junction Creation: Search for the creation of mount points or junctions in temporary or public directories immediately preceding a Defender remediation event.
Oplock Abuse: Advanced EDR threat hunting should focus on anomalous opportunistic locks being placed on files actively being scanned by MsMpEng.exe.
Unexpected Writes to System32: Monitor for file creation events in C:\Windows\System32 where the initiating process is Windows Defender (MsMpEng.exe).

Detection & Threat Hunting

Deploy the following rules to proactively detect the abuse of junctions associated with the BlueHammer exploit.

Sigma Rule (Junction Abuse)
PowerShell (Version Audit)

title: Suspicious Junction Creation for Defender LPE (BlueHammer/CVE-2026-33825)
id: 9f8e7d6c-5b4a-3f2e-1d0c-8b7a6f5e4d3c
status: experimental
description: Detects the creation of directory junctions in user-writable paths targeting System32, mimicking the BlueHammer TOCTOU exploit methodology against Windows Defender.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - 'mklink'
            - '/j'
            - 'C:\Windows\System32'
    condition: selection
level: high
tags:
    - attack.privilege_escalation
    - attack.t1548
    - cve.2026-33825

# Audit endpoints for vulnerable Microsoft Defender Antimalware Platform versions
# Target: Versions strictly below 4.18.26030.3011

$DefenderStatus = Get-MpComputerStatus
$Version =[System.Version]$DefenderStatus.AMProductVersion
$SafeVersion = [System.Version]"4.18.26030.3011"

if ($Version -lt $SafeVersion) {
    Write-Warning "VULNERABLE: Platform version $Version is exposed to BlueHammer (CVE-2026-33825)."
} else {
    Write-Host "SECURE: Platform version $Version is patched against BlueHammer." -ForegroundColor Green
}

Mitigation

Immediate Patching: Ensure the Microsoft Defender Antimalware Platform is updated to version 4.18.26030.3011 or later. This specific update addresses the BlueHammer flaw.
Vigilance on Sibling Flaws: Note that while BlueHammer is patched, the related zero-days RedSun (another LPE abusing cloud file rollback) and UnDefend (a DoS blocking updates) remain unpatched at the time of writing. EDR behavioral monitoring must remain active.

Sources & References

MSRC Advisory: CVE-2026-33825
BleepingComputer: Recently leaked Windows zero-days now exploited in attacks
The Hacker News: Three Microsoft Defender Zero-Days Exploited in the Wild
SOCRadar: BlueHammer, RedSun, and UnDefend: Three Windows Defender Zero-Days Exploited in the Wild