The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Microsoft Defender to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Microsoft Defender, tracked as CVE-2026-33825 (CVSS score of 7.8), to its Known Exploited Vulnerabilities (KEV) catalog.
CVE-2026-33825 is a Microsoft Defender flaw that can be exploited to achieve privilege escalation. Microsoft fixed it with the release of Patch Tuesday security updates for April 2026.
Last week, Huntress researchers reported that attackers are exploiting three recently disclosed zero-day flaws in Microsoft Defender to gain higher privileges on compromised systems, including CVE-2026-33825 (aka BlueHammer). The vulnerabilities, called BlueHammer, RedSun, and UnDefend, were revealed by a researcher known as Chaotic Eclipse after criticizing Microsoft’s handling of the disclosure.
Chaotic Eclipse also published proof-of-concept code for the unpatched Windows bug.
BlueHammer and RedSun let attackers escalate privileges locally in Microsoft Defender. UnDefend instead triggers a denial-of-service, blocking security definition updates and weakening protection.
At this time, Microsoft has only fixed the flawok CVE-2026-33825, but the others remain unpatched.
Huntress researchers reported attackers are exploiting the three Windows flaws to target systems, though the victims and attackers remain unknown.
Huntress said it saw real-world exploitation of all three flaws. Attackers used BlueHammer starting April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.
Researchers believe attackers are using public exploit code released online by Chaotic Eclipse. Huntress said attackers started exploiting BlueHammer on April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.
The Huntress SOC is observing the use of Nightmare-Eclipse's BlueHammer, RedSun, and UnDefend exploitation techniques.
Investigation by: @wbmmfq, @Curity4201, + @_JohnHammond
pic.twitter.com/ZFRI2XAYIA
— Huntress (@HuntressLabs) April 16, 2026
When exploit code becomes publicly available, threat actors can quickly weaponize it in attacks in the wild.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerability by May 6, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)
