Active Exploitation of Nginx UI Vulnerability CVE-2026-33032 (CVSS 9.8) and Windows Zero-Days, Including CVE-2026-33825

Introduction

Cybersecurity teams face an immediate and critical threat as active exploitation campaigns target both the Nginx UI unauthenticated bypass vulnerability, officially designated CVE-2026-33032 (CVSS 9.8), and a series of recently disclosed Windows zero-days. These vulnerabilities represent significant attack vectors that could lead to complete system compromise or elevated privileges within affected environments.

The Nginx UI flaw allows for remote Nginx server takeover due to missing authentication controls, making systems with default configurations vulnerable to external access. Concurrently, three Windows zero-day vulnerabilities, including CVE-2026-33825 (BlueHammer), RedSun, and UnDefend, are also under active exploitation, enabling threat actors to gain SYSTEM privileges or disrupt critical security functions.

This activity shows organizations need to prioritize immediate patching and implement strong breach detection and threat intelligence platform capabilities to counter these ongoing campaigns. Understanding the technical specifics and recommended mitigations for both sets of vulnerabilities is crucial for defending against potential incursions.

What is CVE-2026-33032 and why is it critical?

CVE-2026-33032 identifies a critical missing authentication vulnerability in the open-source web interface Nginx UI. This flaw allows an unauthenticated attacker to access the Model Context Protocol (MCP) endpoint, which can perform privileged operations on managed Nginx web servers. The Common Vulnerability Scoring System (CVSS) rates this vulnerability at 9.8, indicating its severe impact and ease of exploitation.

The vulnerability was initially reported by Pluto Security researcher Yotam Perkal in early March and publicly disclosed on March 30. The core issue lies in the default Nginx UI configuration, where the IP allowlist permits any remote IP to access MCP functionality without authentication. Successful exploitation of this flaw grants attackers full control over the managed Nginx service.

What products are affected by CVE-2026-33032?

The Nginx UI vulnerability CVE-2026-33032 impacts specific versions of the popular open-source web interface. Organizations using this interface should verify their current version to determine their exposure.

Affected versions include:

  • All Nginx UI versions prior to 2.3.3.

The issue is addressed in subsequent releases. However, a discrepancy exists in official reporting:

  • The flaw is fixed in versions 2.3.4 and later.
  • The official CVE record states that versions 2.3.5 and below are affected.

Due to this inconsistency, security researchers at Rapid7 recommend updating to the latest available version to ensure full remediation.

What are the Windows Zero-Days being actively exploited?

Three distinct Windows security vulnerabilities, dubbed BlueHammer, RedSun, and UnDefend, are currently subject to active exploitation. These flaws are local privilege escalation (LPE) vulnerabilities or issues that impact Microsoft Defender functionality. The exploits for these issues were publicly released by a security researcher known as "Chaotic Eclipse" or "Nightmare-Eclipse," reportedly in protest of Microsoft's Security Response Center (MSRC) disclosure process.

CVE-2026-33825 (BlueHammer)

CVE-2026-33825, known as BlueHammer, is a Microsoft Defender local privilege escalation (LPE) flaw. This vulnerability allows an attacker to gain SYSTEM privileges on a compromised Windows system. Microsoft has addressed this vulnerability as part of its April 2026 security updates. However, active exploitation was observed prior to and during the patch release cycle.

RedSun

The RedSun exploit targets another Microsoft Defender LPE flaw, enabling attackers to achieve SYSTEM privileges on various Windows operating systems. This vulnerability affects Windows 10, Windows 11, and Windows Server 2019 and later systems, even after the application of the April Patch Tuesday updates. The exploit operates by manipulating Microsoft Defender's behavior when encountering malicious files with a "cloud tag." Defender, under specific circumstances, attempts to rewrite such files to their original location, a process abused by RedSun to overwrite critical system files and escalate privileges. This vulnerability remains unaddressed by an official patch.

UnDefend

UnDefend is a Windows vulnerability that allows a standard user to block Microsoft Defender definition updates. This flaw, while not directly providing privilege escalation, impairs the system's ability to receive critical security updates, leaving it vulnerable to new threats. Similar to RedSun, UnDefend currently lacks an official patch from Microsoft.

Exploitation and Impact

Active exploitation for both the Nginx UI CVE-2026-33032 and the Windows zero-days commenced swiftly after their respective disclosures or public release of proof-of-concept (PoC) code. This rapid weaponization shows the criticality of these flaws and the immediate risk they pose.

For CVE-2026-33032, active targeting began as early as April 13, approximately two weeks after the vulnerability's disclosure on March 30. The ability to achieve complete remote Nginx takeover from an unauthenticated posture means that exposed Nginx UI instances can be fully compromised, potentially leading to web defacement, data exfiltration, or the establishment of persistent access within the target network. Organizations utilizing Nginx UI in their infrastructure should consider this a significant supply-chain risk, as a compromised web interface can serve as an entry point for broader attacks.

Regarding the Windows zero-days, Huntress Labs security researchers reported observing all three exploits - BlueHammer, RedSun, and UnDefend - deployed in the wild on April 17. The BlueHammer vulnerability (CVE-2026-33825) was exploited as early as April 10. Threat actor activity was noted on a Windows device that had been compromised via a breached SSLVPN user, indicating a "hands-on-keyboard" approach. The combination of initial access via a compromised VPN and subsequent LPE through these zero-days allows attackers to gain SYSTEM or elevated administrator permissions, providing extensive control over the affected system. This level of access can facilitate further lateral movement, data theft, deployment of malware (including ransomware), or the establishment of long-term persistence. Information related to such exploitation campaigns and PoC availability can often be found through underground forums and dark web monitoring services, offering early indicators of compromise.

Mitigation and Patches

Addressing the actively exploited vulnerabilities in Nginx UI and Windows systems requires prompt and precise action. Organizations should prioritize these mitigations to reduce their exposure to ongoing threats.

Mitigation for Nginx UI CVE-2026-33032

The primary mitigation for Nginx UI CVE-2026-33032 is updating the software.

  • Patching: Update Nginx UI to the latest available version. While the vulnerability is fixed in versions 2.3.4 and later, Rapid7 specifically recommends updating to version 2.3.6 or newer due to a discrepancy in official version reporting. This ensures all known fixes are applied.
  • Access Control: Review and restrict access to the Nginx UI MCP Endpoint. Implement stringent IP allowlists to ensure only trusted, internal IPs can access this functionality, moving away from the default configuration that permits any remote IP.

Mitigation for Windows Zero-Days (CVE-2026-33825, RedSun, UnDefend)

Mitigation strategies for the Windows zero-days vary depending on the vulnerability's patch status.

  • CVE-2026-33825 (BlueHammer):
  • Patching: Apply the April 2026 security updates from Microsoft. This update addresses CVE-2026-33825. Ensure all relevant Windows systems, including Windows 10, Windows 11, and Windows Server, are fully patched.
  • RedSun and UnDefend:
  • No Official Patch: As of the latest information, official patches for RedSun and UnDefend are not yet available from Microsoft.
  • Defense-in-Depth: Implement full defense-in-depth strategies. This includes endpoint detection and response (EDR) solutions capable of detecting LPE attempts, application whitelisting to prevent unauthorized executable code, and strict privilege management.
  • Monitoring: Continuously monitor system logs and network traffic for indicators of compromise related to LPE attempts or tampering with Microsoft Defender processes. Anomalous behavior, especially related to system file modifications or Defender update failures, should be investigated immediately.
  • User Training: Reinforce security awareness training, particularly concerning phishing and social engineering tactics that might lead to initial system compromise, such as the observed SSLVPN breach leading to these zero-day exploits.

Technical Takeaways

  • CVE-2026-33032 in Nginx UI is an unauthenticated MCP Endpoint bypass (CVSS 9.8) allowing full remote Nginx service takeover.
  • Nginx UI versions prior to 2.3.3 are affected by CVE-2026-33032, with remediation in 2.3.4+ and recommended update to 2.3.6.
  • Three Windows zero-days, including CVE-2026-33825 (BlueHammer), RedSun, and UnDefend, are under active exploitation for privilege escalation or Defender disruption.
  • CVE-2026-33825 is patched in the April 2026 security updates, while RedSun and UnDefend remain unaddressed by official patches.
  • The RedSun exploit abuses Microsoft Defender's "cloud tag" file handling to overwrite system files and achieve SYSTEM privileges on Windows 10, Windows 11, and Windows Server 2019+.