Leaked Windows Defender Zero-Day Under Active Exploitation: CVE-2026-33825

Introduction

Active exploitation of CVE-2026-33825, a Windows Defender privilege escalation vulnerability, is underway. This zero-day, along with related exploitation tools, was publicly released by a security researcher in early April 2026. Attacks targeting enterprise environments have since been observed. The disclosed techniques bypass standard protections and enable SYSTEM-level access on current Windows operating systems.

The exploitation campaign involves three distinct tools: BlueHammer, RedSun, and UnDefend. While CVE-2026-33825 directly correlates to the BlueHammer exploit, the subsequent release of RedSun and UnDefend expanded the attack surface. This progression shows a shift from a single vulnerability to a complete toolkit for adversaries.

These exploits do not rely on kernel-level vulnerabilities or memory corruption, making them difficult to detect through traditional means. PurpleOps monitors these emerging threats with its advanced cyber threat intelligence platform, providing insights into active exploitation patterns and adversary tradecraft.

Leaked Windows Defender Zero-Day Under Active Exploitation: Vulnerability Details

CVE-2026-33825 is a critical privilege escalation flaw within Windows Defender. It uses a time-of-check to time-of-use (TOCTOU) race condition combined with path confusion. This vulnerability resides specifically within Defender's signature update mechanism. The severity of this issue is rated as high.

The core mechanism of CVE-2026-33825 allows a low-privileged user to escalate privileges to SYSTEM level. This bypasses security on fully patched Windows 10 and Windows 11 systems. The attack chain specifically abuses several legitimate Windows features:

  • Defender's file remediation process
  • NTFS junctions
  • The Windows Cloud Files API
  • Opportunistic locks (oplocks)

The initial exploit, known as BlueHammer, demonstrates a reliable and stealthy method for privilege escalation. This technique does not require the complex kernel-level exploitation seen in other privilege escalation scenarios, such as those detailed in CVE-2026-22998 for Windows Kernel privilege escalation.

Following the public release of BlueHammer, two additional tools, RedSun and UnDefend, were introduced. These tools expanded the scope of the original exploit. RedSun enables similar privilege escalation across:

  • Windows 10
  • Windows 11
  • Windows Server 2019

RedSun maintains effectiveness even after April Patch Tuesday updates. UnDefend specifically targets Defender's update mechanism to degrade its protection capabilities over time. This indicates a varied approach to security bypass.

Exploitation and Impact

All three techniques are actively exploited in the wild. This includes attacks against enterprise targets. Attackers have been observed staging payloads in low-privilege directories. Examples include user Pictures folders and nested Downloads subdirectories. They often use filenames identical to those found in public Proof-of-Concept (PoC) repositories, including FunnyApp.exe, RedSun.exe, and sometimes renamed variants like z.exe.

Detection events have shown that BlueHammer executions were identified and quarantined by Defender as Exploit:Win32/DfndrPEBluHmrBZ. In contrast, RedSun intentionally drops an EICAR test file. This action is designed to manipulate Defender's detection and remediation cycle, making it harder to track. When Undef.exe is present with the "-agressive" argument, spawned via cmd.exe under Explorer.exe, it shows coordinated multi-stage execution and a structured, deliberate attack.

Attack chains also show clear signs of hands-on-keyboard activity. Adversaries execute reconnaissance commands, such as:

  • whoami /priv
  • cmdkey /list
  • net group

These commands enumerate privileges, stored credentials, and Active Directory group memberships. This behavior indicates targeted intrusions by skilled operators, not automated attacks. Such activity often precedes broader network compromise and data exfiltration. PurpleOps tracks these threat actor activities and their toolsets with underground forum intelligence and dark web monitoring services.

Although Microsoft released patches for CVE-2026-33825 in the April 2026 updates, RedSun and UnDefend are currently unpatched. This leaves systems vulnerable to ongoing exploitation. The exploits impact systems in these ways:

  • Gain Access: Initial foothold in the target environment.
  • Privilege Escalation: Attaining SYSTEM-level access from a low-privileged user.

In several incidents, threat actors used compromised Bomgar remote monitoring and management (RMM) instances. This led to an uptick in exploitation observed by the Huntress Security Operations Center (SOC). This follows the disclosure of CVE-2026-1731, a critical flaw in Bomgar (now BeyondTrust Remote Support). Malicious processes originating from bomgar-scc.exe were identified, indicating the use of outdated Bomgar versions.

A significant aspect of these RMM compromises is the targeting of downstream customers. On April 15, an MSP's Bomgar account with elevated privileges was used to deploy remote access tools onto a domain controller. This allowed attackers to establish persistence across client environments managed by the MSP. This scenario demonstrates the importance of supply-chain risk monitoring as a key defense strategy.

Threat actors used their access via Bomgar to:

  • Conduct domain reconnaissance
  • Perform network enumeration via NetScan
  • Add Administrator users for persistence
  • Execute additional RMMs like AnyDesk and Atera

Multiple incidents resulted in LockBit ransomware deployment. Analysts observed consistent tactics, including adding credentials (Adminpwd123.1) and users to Local Administrators and Domain Administrative Groups. They also used ScreenConnect as an additional persistence mechanism. The execution of LB3.exe from user desktops, targeting local drives and Microsoft SQL Server installation paths, was noted. These incidents highlight the need for real-time ransomware intelligence to identify and counter such threats effectively. The use of a LockBit 3.0 builder, previously leaked in 2022, was suspected based on unique ransom note styles and shared email addresses (lokbt9@onionmail[.]org). This activity aligns with other observed Defender zero-days under active exploitation that PurpleOps tracks.

More tactics included killing security tooling. In an April 12 incident, threat actors deployed suspicious drivers like C:\Windows\System32\drivers\hrwfpdrv.sys and C:\temp\PoisonX.sys. PoisonX.sys is linked to PoisonKiller, a Bring Your Own Vulnerable Driver (BYOVD) tool designed to terminate EDR agents. HRSword.exe, a legitimate software, was also abused to bypass security defenses. These methods hinder breach detection.

Another observed tactic involved setting default account credentials, such as WDAGUtilityAccount with password 123123qwEqwE, and then using it to execute remote desktop applications and network enumeration tools. These insights into attack methods help understand current threats and develop defenses against CVE-2026-33825 exploitation.

Mitigation and Patches

Addressing the vulnerabilities and active exploitation requires immediate action and sustained security practices. Organizations must prioritize the application of available patches and implement rigorous monitoring.

  • Immediately apply all April 2026 Windows security updates to patch CVE-2026-33825 (BlueHammer) across all endpoints. Ensure that Bomgar (BeyondTrust Remote Support) instances are updated to version 25.3.2 or later, and Privileged Remote Access to version 25.1 or later to remediate CVE-2026-1731.
  • Monitor and restrict the execution of unsigned or unknown executables from user-writable directories such as Downloads and Pictures.
  • Implement application control policies, such as allowlisting, to block unauthorized binaries like FunnyApp.exe, RedSun.exe, z.exe, and Undef.exe.
  • Enable and tune endpoint detection and response (EDR) rules to alert on suspicious child processes spawned via cmd.exe or Explorer.exe, especially those initiating from unusual paths.
  • Detect and investigate abnormal use of EICAR test files, particularly when triggered by non-administrative users or unusual processes.
  • Monitor command-line activity for reconnaissance commands such as whoami /priv, cmdkey /list, and net group. Correlate these with suspicious process execution to identify hands-on-keyboard activity.
  • Enforce the principle of least privilege across all user accounts and systems to prevent low-privileged users from gaining SYSTEM-level access.
  • Harden NTFS permissions and monitor for abuse of junction points, symbolic links, and oplocks. These are associated with TOCTOU exploitation techniques and can be indicators of CVE-2026-33825 attacks.
  • Audit all RMM instances to track authorized usage and identify any rogue or unauthorized RMM deployments. Regularly check versions of installed RMM software against vendor security advisories. PurpleOps provides live ransomware API feeds and breach detection tools to help with proactive security.

Technical Takeaways

  • CVE-2026-33825 exploits a TOCTOU race condition and path confusion in Windows Defender, enabling SYSTEM privilege escalation.
  • Exploitation tools BlueHammer, RedSun, and UnDefend target Defender's signature update mechanism and protection features.
  • Active in-the-wild exploitation includes staging payloads in low-privilege directories and executing reconnaissance commands.
  • Compromised RMM instances, notably Bomgar, have facilitated LockBit ransomware deployment and downstream customer targeting.
  • Mitigation requires immediate patching of CVE-2026-33825 and CVE-2026-1731, with strict application control and EDR monitoring.