CVE-2026-33825: CVE-2026-33825: Local Privilege Escalation via TOCTOU in Microsoft Defender Signature Updates (BlueHammer)

CVE-2026-33825: Local Privilege Escalation via TOCTOU in Microsoft Defender Signature Updates (BlueHammer)

Vulnerability ID: CVE-2026-33825
CVSS Score: 7.8
Published: 2026-04-14

CVE-2026-33825, publicly referred to as BlueHammer, is a high-severity local privilege escalation vulnerability within the Microsoft Defender Antimalware Platform. The flaw stems from insufficient access control granularity and a Time-of-Check to Time-of-Use (TOCTOU) race condition during signature updates, enabling a standard user to obtain NT AUTHORITY\SYSTEM privileges.

TL;DR

A TOCTOU race condition in Microsoft Defender's signature update process allows local attackers to exploit filesystem junctions and RPC calls to elevate privileges to SYSTEM. The exploit, known as BlueHammer, facilitates arbitrary file operations and credential dumping.

---

⚠️ Exploit Status: WEAPONIZED

Technical Details

• CWE ID: CWE-1220 (Insufficient Granularity of Access Control)
• Attack Vector: Local (AV:L)
• CVSS v3.1: 7.8 (High)
• Impact: Local Privilege Escalation to SYSTEM
• Exploit Status: Weaponized PoC Available
• Affected Component: Microsoft Defender (MpSigStub.exe)

Affected Systems

• Microsoft Defender Antimalware Platform
• Microsoft Defender Antimalware Platform: 4.0.0.0 - < 4.18.26030.3011 (Fixed in: 4.18.26030.3011)

Exploit Details

• GitHub: Original BlueHammer PoC by Nightmare-Eclipse
• GitHub: Alternative PoC documentation and refined code by atroubledsnake

Mitigation Strategies

• Update Microsoft Defender Antimalware Platform to version 4.18.26030.3011 or later.
• Restrict user permissions for creating Object Manager symbolic links via Security Policy.
• Monitor and routinely clear unauthorized filesystem junctions in user temporary directories.

Remediation Steps:

1. Verify the current Microsoft Defender Engine version using PowerShell.
2. Deploy the April 2026 Update (Patch Tuesday) via Windows Update or WSUS.
3. Validate the installation by checking the Engine Version property.

References

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825
• https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/
• https://www.automox.com/blog/bluehammer-what-you-need-to-know-and-how-to-respond
• https://github.com/Nightmare-Eclipse/BlueHammer

---

Read the full report for CVE-2026-33825 on our website for more details including interactive diagrams and full exploit analysis.