HighCISA KEVExploited in the wildPublic exploit

BlueHammer

IdentifiersCVE-2026-33825CWE-284

BlueHammer (CVE-2026-33825) is a local elevation-of-privilege vulnerability in Microsoft Defender. Microsoft describes the issue as insufficient granularity of access control that allows an authorized attacker to elevate privileges locally. Supporting reporting indicates the exploit abuses the Microsoft Defender signature/update workflow and a TOCTOU race condition involving Defender’s MsMpEng service running as SYSTEM. Public technical descriptions state the exploit downloads a Defender signature package (mpam-fe), stages extracted Defender files in a temporary directory, and uses mechanisms including Volume Shadow Copy, Cloud Files callbacks, oplocks, and path/junction manipulation to cause privileged Defender operations to act on attacker-controlled targets. Reported outcomes include exposure of the SAM, SYSTEM, and SECURITY hives, access to local account password hashes, and in some exploit variants causing MsMpEng to write an attacker-controlled payload into a protected system path.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local authenticated attacker to escalate from a low-privileged account to SYSTEM. Reported post-exploitation effects include access to the Security Account Manager database, extraction and decryption of local NTLM password hashes, takeover of local administrator accounts, spawning of a SYSTEM shell, and effectively full control of the affected host. CISA has stated the vulnerability has been exploited in the wild, including in ransomware attacks.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting local user footholds, restricting interactive logon for untrusted users, enforcing least privilege, and monitoring for BlueHammer-related artifacts and behaviors. Useful detections from the provided content include: non-Defender processes downloading or querying Defender update infrastructure; creation of mpam-fe[1].exe in INetCache; extraction of mpengine.dll or .vdm files into user-writable temp paths; MsMpEng.exe writing into C:\Windows\System32 or drivers paths; unusual access to SAM/SYSTEM/SECURITY hives; rapid or anomalous local password changes; and suspicious Cloud Files/VSS activity involving Defender. Additional hardening should include application control, EDR/Sysmon coverage, and rapid containment of low-privilege compromises that could be chained into this LPE.

Remediation

Patch, then assume compromise.

Apply Microsoft’s security updates released on 2026-04-14 for CVE-2026-33825. Organizations should ensure Microsoft Defender and the underlying Windows components are fully updated across affected endpoints. Because CISA added the flaw to the KEV catalog and later marked it as used in ransomware campaigns, prioritize patching on internet-exposed, user-accessible, and high-value Windows systems, and validate update deployment through enterprise patch management and Defender platform/version compliance checks.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (5 hidden).

VALID 1 / 6 TOTALView more in app

CVE-2026-33825MaturityPoCVerified exploit

Small Windows-focused exploit repository for CVE-2026-33825 containing a single substantive source file, src/main.cpp, built with CMake. The code is a local privilege-escalation style PoC rather than a remote exploit. It uses low-level Windows and NT native APIs from ntdll.dll, plus Cloud Files API headers/libraries, to manipulate filesystem objects, enumerate object-manager directories, and set reparse points/mount points. The exploit workflow appears to prepare filesystem redirection primitives, race or coerce privileged file operations, then open \??\C:\Windows\System32\TieringEngineService.exe with FILE_SUPERSEDE semantics. After successful overwrite/placement, it copies its own executable into %WINDIR%\System32\TieringEngineService.exe and invokes LaunchTierManagementEng() to trigger execution. Repository structure is minimal: CMakeLists.txt for building, a short README naming CVE-2026-33825, and one large C++ implementation file. No network communication, C2, or external URLs are present; the exploit is entirely local and centered on Windows filesystem/object-manager abuse and privileged binary planting.

Joe1snDisclosed May 2, 2026cppcmakelocal

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationDefenderapplication

Microsoft CorporationDefender Antimalware Platformapplication

Microsoft CorporationMicrosoft Defenderapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

162 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

162 SOURCESView more in app

security weekNews

Jun 30, 2026

BlueHammer Vulnerability Exploited in Ransomware Attacks - SecurityWeek

A Microsoft Defender privilege escalation vulnerability, dubbed BlueHammer, that was publicly disclosed before patches were available and later confirmed by CISA as exploited in ransomware campaigns.

bleeping computerNews

Jun 30, 2026

CISA: Windows BlueHammer flaw now exploited by ransomware gangs

A high-severity local privilege escalation vulnerability in Microsoft Defender caused by insufficient granularity of access control, allowing an authorized local attacker to access the SAM database, escalate to SYSTEM privileges, and potentially take full control of the affected system.

security affairsNews

Jun 18, 2026

Microsoft Confirms RoguePlanet Zero-Day in Defender, Patch Under Development

A previously disclosed Microsoft vulnerability referenced as one of several zero-days published by the same researcher; no further technical details are provided in the content.

the hacker newsNews

Jun 17, 2026

Microsoft Confirms RoguePlanet Defender Zero-Day, Says Patch is in Development

A Microsoft Defender vulnerability previously disclosed by Chaotic Eclipse and since patched by Microsoft.

+66 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence6

Every observed campaign linking this CVE to a named adversary.

Associated malware15

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity89

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-33825

NVD

nvd.nist.gov/vuln/detail/CVE-2026-33825

MITRE CWE · CWE-284

cwe.mitre.org

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825

Third Party Advisory

huntress.com/blog/nightmare-eclipse-intrusion

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33825