{"id":235695,"date":"2026-04-23T04:00:00","date_gmt":"2026-04-23T08:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/23\/recent-microsoft-defender-vulnerability-exploited-as-zero-day\/"},"modified":"2026-04-25T23:20:16","modified_gmt":"2026-04-26T03:20:16","slug":"recent-microsoft-defender-vulnerability-exploited-as-zero-day","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/23\/recent-microsoft-defender-vulnerability-exploited-as-zero-day\/","title":{"rendered":"Recent Microsoft Defender Vulnerability Exploited as Zero-Day"},"content":{"rendered":"<p><a href=\"https:\/\/www.securityweek.com\/recent-microsoft-defender-vulnerability-exploited-as-zero-day\/\">Recent Microsoft Defender Vulnerability Exploited as Zero-Day<\/a><\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/recent-microsoft-defender-vulnerability-exploited-as-zero-day\/\">https:\/\/www.securityweek.com\/recent-microsoft-defender-vulnerability-exploited-as-zero-day\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-23 04:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.securityweek.com\">www.securityweek.com<\/a><\/p>\n<p><strong>A recently disclosed privilege escalation vulnerability in Microsoft Defender has been exploited in the wild as a zero-day using publicly available proof-of-concept (PoC), Huntress warns.<\/strong><\/p>\n<p>Patched on April 14, the issue is tracked as CVE-2026-33825 (CVSS score of 7.8). Microsoft describes it as an elevation of privilege bug rooted in insufficient granularity of access control.<\/p>\n<p>The CVE was publicly disclosed on April 2 by a disgruntled researcher known as Chaotic Eclipse and Nightmare-Eclipse, who warned it was a race condition leading to full System privileges.<\/p>\n<p>The researcher named the flaw BlueHammer and published PoC exploit code to their GitHub repository. Interest in the exploit surged fast, fueled by a fork that fixed some bugs in the researcher\u2019s implementation and included documentation and instructions.<\/p>\n<p>BlueHammer is a time-of-check to time-of-use (TOCTOU) in Defender\u2019s signature update mechanism that allows an attacker with low privileges to gain System permissions.<\/p>\n<p>The first attacks leveraging the public PoC were seen on April 10, with additional activity observed on April 16, cybersecurity firm Huntress warns.<\/p>\n<p><span class=\"zox-ad-label\">Advertisement. Scroll to continue reading.<\/span><\/p>\n<p>\u201cHuntress identified suspicious FortiGate SSL VPN access tied to the compromised environment, including a source IP geolocated to Russia, with additional suspicious infrastructure observed in other regions,\u201d the company says.<\/p>\n<p>The attacks leveraged all three techniques that Chaotic Eclipse published, namely BlueHammer, RedSun, and UnDefend.<\/p>\n<p>BlueHammer relies on operation locks (oplocks) to suspend Defender\u2019s operation and on triggering a signature update to trick Defender into copying the Security Account Manager (SAM) database to its output directory.<\/p>\n<p>BlueHammer then parses the SAM hive, decrypts users\u2019 NT hashes, temporarily changes all user passwords to a new one, and uses the new password to generate admin sessions that can be used to gain System&#8230;<\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/recent-microsoft-defender-vulnerability-exploited-as-zero-day\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recent Microsoft Defender Vulnerability Exploited as Zero-Day https:\/\/www.securityweek.com\/recent-microsoft-defender-vulnerability-exploited-as-zero-day\/ Publish Date: 2026-04-23 04:00:00 Source Domain: www.securityweek.com&#8230;<\/p>\n","protected":false},"author":1,"featured_media":235696,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.securityweek.com\/wp-content\/uploads\/2024\/10\/Windows-Kernel-BSOD.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,27],"class_list":["post-235695","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235695"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=235695"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235695\/revisions"}],"predecessor-version":[{"id":235697,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235695\/revisions\/235697"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/235696"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=235695"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=235695"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=235695"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}