Redmond, April 14, 2026, 15:03 PDT
Microsoft on Tuesday patched CVE-2026-33825, a publicly disclosed Microsoft Defender privilege-escalation flaw that several security firms tied to BlueHammer, the proof-of-concept exploit released online earlier this month. The fix arrived in Microsoft’s April Patch Tuesday release alongside a separate SharePoint flaw, CVE-2026-32201, that the company said was already being exploited.
The move matters because BlueHammer was a local privilege escalation bug — it let an intruder who already had some access on a machine raise privileges to SYSTEM, Windows’ top local account. Once code was posted publicly before a patch existed, the issue stopped being a research dispute and became a practical risk for breached endpoints.
Microsoft said customers whose Defender deployments receive automatic updates are already protected and mainly need to verify the update arrived. Its public Defender pages also showed fresh platform releases, with the security intelligence site listing a release on April 14 and the Update Catalog showing KB4052623 dated April 13.
Microsoft credited Zen Dodd and Yuanpei Xu with discovering the flaw. Tyler Reguly, associate director of security R&D at Fortra, said the patched bug appears to match the BlueHammer proof-of-concept that a researcher using the alias Chaotic Eclipse published days earlier.
That code appeared on GitHub on April 3 after Chaotic Eclipse accused Microsoft’s Security Response Center of mishandling the disclosure. Microsoft later said it investigates reported security issues and supports coordinated vulnerability disclosure, but it did not publicly spell out what broke down.
Researchers described the flaw as a TOCTOU, or time-of-check/time-of-use, and path-confusion problem in Defender’s update workflow. In plain terms, software checks one condition and then acts after conditions have changed; analysts said that chain could expose the Security Account Manager, or SAM, database that stores local password hashes.
Cyderes said the exploit abused ordinary Windows features including Volume Shadow Copy, Cloud Files callbacks and opportunistic locks, rather than a classic memory-corruption bug. Will Dormann, principal vulnerability analyst at Tharros, said a successful attacker could reach the point where they “basically own the system.” Cyderes
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, wrote that the bug “does look like it’s a real problem” despite reliability questions and urged Defender users to deploy the fix quickly. Jack Bicer, director of vulnerability research at Action1, said the flaw “significantly increases risk” once attackers already have a foothold, and Microsoft marked it as more likely to be exploited. Zero Day Initiative
BlueHammer was fixed as part of a much broader Microsoft security release covering more than 160 vulnerabilities, with elevation-of-privilege bugs making up more than half of them. That matters because those flaws are often used to turn a small compromise into wider control, and this month’s SharePoint zero-day showed attackers were already moving on other Microsoft weaknesses.
But patching may not end the exposure overnight. Researchers said the original public code was buggy but workable, and Cyderes warned that detecting the first sample is not the same as fixing the underlying technique, leaving room for rewrites, slower enterprise rollout or chained attacks on machines that lag updates.
Cyderes said skilled threat actors can resolve bugs in public proof-of-concept code within days, while Microsoft’s public Defender pages show updated platform releases are now rolling out. That leaves a narrow window for companies that still test or stage endpoint updates before broad deployment.
