CISA puts US government agencies on two-week deadline to patch Microsoft Defender BlueHammer zero-day exploit

• CISA added BlueHammer, a Microsoft Defender privilege escalation flaw, to its Known Exploited Vulnerabilities catalog.
• Federal agencies have until May 6 to patch or discontinue use, as researchers confirmed active exploitation in the wild.
• The disclosure came from “Chaotic Eclipse,” who also revealed two other Defender zero‑days, with Huntress Labs linking exploitation attempts to suspicious global infrastructure.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added BlueHammer to its catalog of known exploited vulnerabilities (KEV), giving Federal Civilian Executive Branch (FCEB) agencies a two-week deadline to patch up or stop using the vulnerable software entirely.

BlueHammer is described as an “insufficient granularity of access control in Microsoft Defender” vulnerability, which allows unauthorized attackers to elevate the privileges locally. It is being tracked as CVE-2026-33825, and was given a severity score of 7.8/10 (high).

It was first disclosed in early April this year, by a seemingly disgruntled security researcher with the alias “Chaotic Eclipse”. They published the vulnerability on their blog, as a zero-day at the time, because they weren’t satisfied with how Microsoft handles vulnerability disclosures.

RedSun and unDefend

“I was not bluffing Microsoft and I'm doing it again,” they said, before sharing a GitHub repository for BlueHammer.

Microsoft responded by saying it has a “customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible.”

“We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community,” Microsoft said.

A week later, the same researcher disclosed yet another zero-day vulnerability in Microsoft Defender. This one, called RedSun, is described as a local privilege escalation flaw that allows malicious actors SYSTEM privileges in the latest versions of Windows 10, Windows 11, and Windows Server, where Defender is enabled.

They also released a third flaw, called unDefend, which can apparently be exploited as a standard user, to block Defender definition updates.

When CISA adds a vulnerability to KEV, it means that it has evidence that it is being actively exploited in the wild. FCEB agencies have until May 6 to patch.

At the same time, security researchers from Huntress Labs said they’ve seen malicious actors abusing the flaws in the wild.

"The activity also appeared to be part of a broader intrusion rather than isolated proof-of-concept (PoC) testing," the cybersecurity company said in a report. "Huntress identified suspicious FortiGate SSL VPN access tied to the compromised environment, including a source IP geolocated to Russia, with additional suspicious infrastructure observed in other regions."

Via BleepingComputer

The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.