SECURITYWEEK reports that a recently disclosed privilege escalation vulnerability in Microsoft Defender has been exploited in the wild as a zero-day using publicly available PoC code, tracked as CVE-2026-33825 with a CVSS of 7.8. Patched on 14 April, the issue is described by Microsoft as an elevation of privilege rooted in insufficient granularity of access control.
The vulnerability was publicly disclosed on 2 April by researchers known as Chaotic Eclipse and Nightmare-Eclipse, who named the flaw BlueHammer and published PoC exploit code to their GitHub repository. BlueHammer, RedSun and UnDefend are the three techniques demonstrated to gain System privileges, with BlueHammer relying on oplocks and a defective signature update to copy the SAM database and decrypt NT hashes.
Huntress notes that the attackers accessed the target environment via an SSL VPN connection to a FortiGate firewall, and that the first public attacks were observed from 10 April, with further activity on 16 April; CISA added CVE-2026-33825 to its KEV catalog and urged federal agencies to patch by 6 May, according to CISA.