THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a flaw in Microsoft Defender to its Known Exploited Vulnerabilities (KEV) catalog, tracked as CVE-2026-33825 with a CVSS score of 7.8. The flaw can be exploited to achieve privilege escalation, and Microsoft fixed it with its April 2026 Patch Tuesday updates.
Last week, Huntress researchers reported that attackers are exploiting three recently disclosed zero-day flaws in Microsoft Defender to gain higher privileges, including CVE-2026-33825 (also known as BlueHammer). The three flaws—BlueHammer, RedSun, and UnDefend—were revealed by Chaotic Eclipse after criticising Microsoft’s handling of the disclosure, and proof-of-concept code for the unpatched Windows bug was published.
At present, Microsoft has only fixed CVE-2026-33825, while the others remain unpatched, and Huntress noted real-world exploitation of all three flaws. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies must address identified vulnerabilities by the due date to protect networks, and CISA has ordered federal agencies to fix the vulnerability by 6 May 2026.