BlueHammer forces urgent action as CISA orders patching of actively exploited Microsoft Defender zero-day

A newly urgent Microsoft Defender flaw known as BlueHammer drew federal attention after CISA added it to the Known Exploited Vulnerabilities catalog and ordered agencies to patch or mitigate it. The issue allows a low-privileged local attacker to escalate to SYSTEM on affected Windows systems.

 The flaw became more serious after Huntress linked it to observed intrusion activity rather than isolated testing, showing that attackers were already moving beyond research and into practical use. That shift, combined with CISA action, pushed it from a technical vulnerability story into a real operational threat.

 Technically, the issue has been described as an access control weakness, while Huntress tied the exploitation path to race-condition or time-of-check-time-of-use abuse in Defender. The same reporting also connected the activity to Nightmare-Eclipse tooling and related flaws called RedSun and UnDefend, suggesting a broader exploitation ecosystem rather than a one-off bug.

 The affected software is Microsoft Defender running on Windows systems, which makes the issue especially notable because it touches a product that many organizations rely on as a core layer of defense.

 This is not a proof-of-concept-only issue. The vulnerability is being treated as actively exploited in the wild, supported by both CISA’s KEV action and Huntress’ incident observations.

 Publicly shared indicators remain limited, but Huntress reported suspicious FortiGate SSL VPN access tied to affected environments and noted source infrastructure geolocated to Russia, along with other suspicious activity associated with the campaign.

 What makes this especially important right now is that local privilege-escalation flaws still play a major role in turning minor access into full administrative control. Once an attacker gains any foothold, a flaw like this can quickly turn an ordinary intrusion into a much deeper enterprise incident.

 For general users, the practical takeaway is simple: even security software needs to be patched aggressively. For security teams, the bigger lesson is that trusted defensive tooling remains part of the attack surface, especially when exploit development moves quickly after disclosure.

 The most relevant tools here include EDR and XDR platforms, Defender operational logs, Windows event telemetry, vulnerability scanners, SIEM, and threat-hunting tooling that can trace privilege escalation, suspicious admin activity, and post-exploitation movement.

 The main mitigation is immediate patching, along with following CISA-directed remediation timelines and investigating whether privilege escalation already occurred before defenses were updated. Teams should also look for persistence, unauthorized admin actions, and abnormal access behavior after patching.

 CVE number: CVE-2026-33825.

 CVSS score / severity: High severity. Related reporting places it around 7.8 CVSS, while the strongest immediate signal of urgency comes from CISA KEV inclusion and Huntress’ observed exploitation.

 Sources: BleepingComputer, published April 23, 2026; Huntress reporting, published April 20, 2026.

‍