Vulnerability
Security Patch Release ×3
BlueHammer Windows privilege escalation and Microsoft remediation
Updated 13.05.2026 16:46
Case score 59
Score breakdown
- Total
- 59
- Lead score
- 59
- Support bonus
- +0 / 20
- Scoring support
- 0
- Context members
- 3
Top contributors
- Vulnerability Public exploit release defines the Windows local privilege-escalation risk and the zero-day status. base
- Security Patch Release Specific Defender Patch Tuesday fix for CVE-2026-33825 and the affected Windows versions. context
- Security Patch Release Microsoft April 2026 Patch Tuesday context showing the same CVE was patched in a broader update bundle. context
- Security Patch Release Broader Microsoft April 2026 patch context for the same Defender CVE and adjacent Windows remediation guidance. context
Case score 59
Members 4
Latest activity 13.05.2026 16:46
Active exploitation
Public PoC/exploit reported
KEV: CISA KEV
Patch/mitigation varies by member
Active exploitation
Public PoC/exploit reported
KEV: CISA KEV
Patch/mitigation varies by member
Members 4
First seen 06.04.2026 22:19
Last seen 16.04.2026 23:19
Updated 13.05.2026 16:46
Overview
Public exploit code for **BlueHammer / CVE-2026-33825** turned a Windows local privilege-escalation flaw into an active zero-day risk. The issue can expose the **SAM** database and let a local attacker reach **SYSTEM** or elevated administrator access, although the available proof-of-concept was not reliable in every environment.
Microsoft has since patched the flaw in the April 2026 updates, including the **Defender Antimalware Platform update 4.18.26050.3011**. CISA also added the CVE to the Known Exploited Vulnerabilities list and set a **May 7** deadline for federal civilian agencies.
Chaotic Eclipse published public exploit code for **BlueHammer**, turning **CVE-2026-33825** into a Windows zero-day with no official patch at the time. The flaw is a local privilege-escalation issue that combines a **TOCTOU** race with path confusion, and successful abuse can expose the **SAM** database and raise a local attacker to **SYSTEM** or elevated administrator privileges. Available testing indicated the exploit can work, but the proof-of-concept was buggy and not reliable in every environment.
Microsoft later addressed **CVE-2026-33825** in its April 2026 security updates, including the **Microsoft Defender Antimalware Platform update version 4.18.26050.3011** for supported Windows systems. A broader Patch Tuesday release also bundled the Defender fix with fixes for Windows, SharePoint, and Office issues, showing the response widened from a single exploit release to urgent fleet patching. CISA then added **CVE-2026-33825** to its Known Exploited Vulnerabilities list and set a May 7 deadline for federal civilian agencies. Available evidence still does not quantify reach or confirm consistent exploitation success across all systems.