The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Microsoft Defender Elevation of Privilege Vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. The flaw, designated as CVE-2026-33825 and colloquially known as “BlueHammer,” has been exploited in active attacks since early April.
What is BlueHammer?
BlueHammer is a vulnerability within Microsoft Defender that allows local attackers with low privileges to escalate their access level to SYSTEM. A researcher known as “Chaotic Eclipse” publicly disclosed the flaw to highlight issues with Microsoft’s vulnerability disclosure processes. Because it has been actively weaponized, CISA is mandating that federal civilian executive branch (FCEB) agencies patch the vulnerability by May 7, 2026.
How to check if you’re affected
- Check Your Defender Version: Ensure your Microsoft Defender definitions and engine are fully up-to-date.
- Review Patch Tuesday Updates: Ensure the April 14, 2026, Patch Tuesday updates have been successfully applied to your Windows systems.
- Monitor for Unexpected Escalation: Look for unusual local user behavior that might indicate attempts to acquire SYSTEM-level privileges.