CVE-2026-33825 BlueHammer: Defender Zero-Day Grants SYSTEM — Patch Now

Microsoft Defender has three active zero-day exploits being used in attacks. BlueHammer — CVE-2026-33825, CVSS 7.8 — weaponizes a race condition in Defender's file quarantine logic to read the Windows SAM database, decrypt NTLM password hashes, and spawn a SYSTEM-level command shell. No additional malware needs to be deployed once the exploit runs. CISA added BlueHammer to the Known Exploited Vulnerabilities catalog on April 22 with a May 6 patch deadline for federal agencies. Two companion exploits, RedSun and UnDefend, are still being used in attacks with no patch available.

Every Windows machine running Defender — which is the default on every Windows 10 and Windows 11 installation — is in scope. The attack requires an initial foothold on the target machine, but BlueHammer is the tool that turns that foothold into full SYSTEM control.

How BlueHammer Works: The Race Condition

Defender's file remediation logic handles the process of quarantining a flagged file: it reads the file, moves it to the quarantine store, and then cleans up the original location. This process runs at SYSTEM privilege because Defender needs SYSTEM access to operate across all user contexts and system directories.

The race condition is in the cleanup step. When Defender marks a file for remediation and begins the privileged cleanup process, there is a brief window between Defender's privilege check and its actual file operation. An attacker who can time a file substitution into that window can redirect Defender's SYSTEM-privileged file read to an arbitrary location.

BlueHammer uses this window to redirect a SYSTEM-privileged Defender file read to the Windows Security Account Manager (SAM) database at C:\Windows\System32\config\SAM. The SAM database contains hashed credentials for all local accounts. Defender reads the SAM at SYSTEM privilege and the attacker captures the output.

The full attack chain:

1. Drop a trigger file that Defender flags as malicious.

2. Race the cleanup process to substitute a symlink pointing to the SAM database.

3. Defender, running as SYSTEM, follows the symlink and reads the SAM database.

4. Attacker extracts and decrypts NTLM hashes for all local accounts, including the local Administrator account.

5. Pass-the-hash or hash-cracking techniques convert the captured hashes to usable credentials.

6. A SYSTEM-level shell is available through standard Windows privilege escalation using the recovered local Administrator credentials.

The attack is silent by design: BlueHammer restores the original SAM file pointer and removes the trigger file after execution, leaving no obvious indicators of compromise in standard logs.

What SYSTEM Shell Access Means

SYSTEM is the highest privilege level on a Windows machine. It is above Administrator. A process running as SYSTEM can:

• Read and write any file on the system, including sensitive credential stores
• Install and execute any software without UAC prompts
• Modify security configurations, disable logging, and alter audit policies
• Access and decrypt DPAPI-protected secrets (browser passwords, credential manager, certificates)
• Inject code into any running process
• Create and delete user accounts
• Modify firewall rules and disable Defender itself

From a SYSTEM shell, an attacker can establish persistence, exfiltrate data, move laterally to other systems on the network, and cover their tracks. For a developer machine, SYSTEM access means all SSH keys, API keys, cloud credentials, and browser-saved passwords are available to the attacker.

RedSun and UnDefend: Still No Patch

BlueHammer (CVE-2026-33825) was patched in Microsoft's April 2026 Patch Tuesday (April 8). RedSun and UnDefend are the two companion exploits that were discovered in the same research cycle but remain unpatched as of April 28.

Details on the two unpatched exploits are limited because Microsoft follows coordinated disclosure — publishing full technical details only after patches are available. What is public from CISA and the Zero Day Initiative:

RedSun: A separate Defender code execution path that also leads to SYSTEM-level access. Attack vector is different from BlueHammer — involves Defender's real-time protection scanning logic rather than the quarantine/remediation path. Being actively exploited in the wild per Microsoft's own acknowledgment.

UnDefend: A technique that uses Defender's own update mechanism to load unsigned code at SYSTEM privilege. More complex to execute than BlueHammer or RedSun but potentially more reliable because it does not require timing a race condition. Active exploitation confirmed.

Both exploits are in Microsoft's patching pipeline. No ETA has been published. Given the CISA KEV addition cadence, both will likely appear in May's Patch Tuesday (May 13) at the latest.

Who Is Being Targeted

Threat intelligence from CrowdStrike and the Zero Day Initiative indicates BlueHammer exploitation was first observed in late March 2026, approximately two weeks before Microsoft's April Patch Tuesday. The primary observed targets in this window:

• Developer workstations at software companies and security research firms
• Corporate endpoints at financial services firms
• Government agency endpoints in Eastern Europe

The initial exploitation appeared to come from a single threat actor before spreading to commodity ransomware groups. The gap between first exploitation and public disclosure (approximately 3 weeks) is consistent with a nation-state actor discovering the vulnerability and exploiting it before responsible disclosure was completed.

By the time CISA added it to KEV on April 22, multiple ransomware groups had integrated BlueHammer into their toolkits. This is now an opportunistic threat, not just a targeted one.

The CISA KEV Deadline and What It Means

CISA's Known Exploited Vulnerabilities catalog mandates that federal civilian agencies patch listed vulnerabilities by a specified deadline — in this case, May 6, 2026 for CVE-2026-33825.

The KEV mandate applies only to federal agencies under CISA's authority. But the KEV catalog is effectively the industry's highest-confidence list of actively exploited vulnerabilities. If CISA puts it on the list, it means active exploitation is confirmed through multiple incident reports, not just proof-of-concept research.

For non-federal organizations, the May 6 date should be treated as: "if federal agencies are required to patch by this date, your organization should already have patched." The patch has been available since April 8 Patch Tuesday — there is no technical reason for a 3-week gap other than organizational process delays.

Developer and Enterprise Action Plan

Patch Windows now. CVE-2026-33825 (BlueHammer) is patched in the April 2026 Patch Tuesday cumulative update (KB5036979 for Windows 11, KB5036980 for Windows 10). Run Windows Update, verify the patch is installed, and verify the Defender platform version is 4.18.25030 or higher.

To check your Defender platform version in PowerShell: Get-MpComputerStatus | Select-Object AMProductVersion, AMServiceVersion — the platform version should be 4.18.25030 or higher.

Enable Defender tamper protection. Tamper protection prevents Defender from being disabled by non-SYSTEM processes. Settings > Windows Security > Virus & Threat Protection > Manage Settings > Tamper Protection = On.

Monitor for SAM access. Enable Audit Object Access in Local Security Policy and watch for unexpected read access to C:\Windows\System32\config\SAM outside of known system processes. Microsoft Defender for Endpoint's Advanced Hunting has a query template for this event class.

Treat RedSun and UnDefend as active threats. Since patches are not yet available, the mitigation is behavioral: reduce attack surface by ensuring your machines cannot be the initial foothold. Phishing resistance (hardware keys, FIDO2), application allow-listing, and EDR with behavioral detection are the compensating controls while patches are pending.

For developer machines specifically: Rotate any credentials that were accessible on machines with unpatched Defender during March–April 2026. This means SSH keys, API keys in environment variables or .env files, cloud credentials in ~/.aws or ~/.azure, and browser-saved passwords. If BlueHammer was used against your machine, those credentials should be considered compromised.

Key Takeaways

• CVE-2026-33825 BlueHammer (CVSS 7.8): Defender race condition in file remediation logic, SAM database read at SYSTEM privilege, NTLM hash extraction, SYSTEM shell — patched April 8 Patch Tuesday
• CISA KEV deadline May 6: federal agencies required to patch; treat this as your patch-now deadline regardless of organization type
• Two exploits still unpatched: RedSun (Defender real-time scan path) and UnDefend (Defender update mechanism) are confirmed exploited in the wild with no patch yet — expected May Patch Tuesday
• Attack is silent: BlueHammer removes indicators post-exploitation; standard logs may not show compromise
• Ransomware groups now using it: started as targeted nation-state exploitation in late March, now in commodity ransomware toolkits — opportunistic threat, not just targeted
• Developer action: patch via Windows Update now; rotate credentials on any potentially affected machine; enable tamper protection; monitor for SAM access anomalies

For the Microsoft OAuth attack that pairs with endpoint compromises, read APT28 Hijacked 18,000 Routers to Steal Microsoft OAuth Tokens. For the CISA KEV list context, read CISA KEV: SimpleHelp CVE-2024-57726, Samsung MagicINFO, D-Link. For the Chrome zero-day that requires parallel patching, read Chrome Zero-Day CVE-2026-5281.