Redmond, April 14, 2026, 15:03 PDT
Microsoft issued a fix for CVE-2026-33825 on Tuesday, a Microsoft Defender privilege-escalation bug that had been publicly disclosed and linked by security researchers to BlueHammer, the proof-of-concept exploit that surfaced online earlier this month. That patch landed as part of Microsoft’s April Patch Tuesday update, which also included a security fix for SharePoint—CVE-2026-32201. According to Microsoft, attackers had already started exploiting that SharePoint vulnerability.
This one’s significant: BlueHammer allowed attackers with existing access to escalate to SYSTEM, the highest level on Windows machines. With public exploit code out before any patch was ready, the debate among researchers quickly took a back seat. Suddenly, every unpatched endpoint faced a real threat.
Microsoft says users relying on automatic updates for Defender are already covered—they just need to check their updates have landed. On the public Defender pages, the company flagged new platform releases: the security intelligence site shows an April 14 release, while the Update Catalog logs KB4052623 as April 13.
Microsoft says Zen Dodd and Yuanpei Xu found the vulnerability. Over at Fortra, Tyler Reguly, associate director of security R&D, pointed out that the patched issue seems to line up with the BlueHammer proof-of-concept that surfaced just days before, posted by a researcher going by Chaotic Eclipse.
The code landed on GitHub April 3, following Chaotic Eclipse’s accusation that Microsoft’s Security Response Center botched the disclosure process. Microsoft responded, saying it investigates security reports and backs coordinated disclosure, though it hasn’t detailed what went wrong.
The flaw, researchers said, boils down to a TOCTOU—time-of-check/time-of-use—and path-confusion issue in how Defender handles updates. In effect, the software checks something, but by the time it acts, the conditions may no longer be safe. That gap, analysts noted, could make the Security Account Manager (SAM) database—where local password hashes live—vulnerable.
Cyderes reported that the exploit didn’t rely on a typical memory-corruption flaw; instead, it made use of standard Windows mechanisms like Volume Shadow Copy, Cloud Files callbacks, and opportunistic locks. According to Will Dormann, principal vulnerability analyst at Tharros, an attacker pulling this off could “basically own the system.” Cyderes
Dustin Childs, who heads threat awareness at Trend Micro’s Zero Day Initiative, said the bug “does look like it’s a real problem” despite some doubts about reliability, and he pushed Defender users to patch fast. Jack Bicer, director of vulnerability research at Action1, called out the flaw for “significantly” boosting risk once attackers are inside, while Microsoft flagged it as more likely to be exploited. Zero Day Initiative
Microsoft’s massive security update patched BlueHammer along with over 160 other vulnerabilities, more than half of which were elevation-of-privilege issues. These are the types of bugs attackers favor to escalate from a minor breach to broader access. This month’s zero-day in SharePoint was a clear sign: hackers have already shifted focus to other Microsoft soft spots.
Patching, though, won’t shut down the risk right away. Researchers note the initial public code wasn’t perfect, but it did the job—so the threat remains. Cyderes points out: just spotting the first sample isn’t a fix for the deeper method. That opens the door to modified attacks, delayed updates from big organizations, or chains of exploits hitting systems slow to patch.
According to Cyderes, it takes just days for experienced threat actors to work through bugs in public proof-of-concept code. Over on Microsoft’s public Defender pages, updated platform releases have started rolling out. For organizations still pausing to test or stage endpoint updates before a full rollout, the window is getting tight.
