Am I affected by CVE-2026-33825?

Windows 10 and Windows 11 endpoints that have not installed the April 8, 2026 Patch Tuesday cumulative update. Note that patching closes BlueHammer (CVE-2026-33825) only - RedSun and UnDefend remain unpatched at time of writing, so patched hosts are still exposed to local privilege escalation via RedSun and to Defender disablement via UnDefend.

How do I fix CVE-2026-33825?

Deploy the April 2026 Patch Tuesday update (which addresses CVE-2026-33825) to every Windows endpoint and verify coverage against MDM or configuration-management inventory rather than trusting WSUS compliance alone. For the two unpatched sibling flaws, tighten EDR rules to alert on: anomalous file writes to Defender-controlled paths, unexpected changes to Defender signature update behavior, and any process attempting to stop or starve MsMpEng.exe. Treat any host where Defender has not received a signature update in over 48 hours as suspicious until proven otherwise. Review Huntress's public IoCs for the three techniques.

CISA adds actively-exploited Microsoft Defender 'BlueHammer' flaw to KEV as two sibling zero-days (RedSun, UnDefend) remain unpatched (CVE-2026-33825)

vulnerability

CVE-2026-33825

2026-04-23

CISA adds actively-exploited Microsoft Defender 'BlueHammer' flaw to KEV as two sibling zero-days (RedSun, UnDefend) remain unpatched (CVE-2026-33825)

CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog on April 23 with a May 7 federal patch deadline. The flaw, nicknamed BlueHammer, is a race condition in Windows Defender's file-remediation logic that lets an unprivileged local attacker overwrite arbitrary files on disk and escalate to SYSTEM on fully-patched Windows 10 and Windows 11 hosts. It was patched in Microsoft's April 8 Patch Tuesday but a working proof-of-concept had already been published to GitHub by a researcher called 'Chaotic Eclipse' on April 7, before the fix shipped. Huntress Labs saw in-the-wild exploitation from April 10, with attackers also picking up two sibling Defender zero-days the same researcher leaked: RedSun (another local privilege escalation) and UnDefend (a denial-of-service that blocks Defender from pulling security definition updates, effectively disarming the EDR). Those two still have no Microsoft patch. The combination - a working privilege-escalation path plus an unpatched technique to silently cripple Defender itself - makes this a priority hunt, not just a priority patch.

Check: Verify that every Windows 10 and Windows 11 endpoint in your fleet has the April 2026 Patch Tuesday update installed and then hunt for the BlueHammer/RedSun/UnDefend technique patterns in your EDR telemetry.
Affected: Windows 10 and Windows 11 endpoints that have not installed the April 8, 2026 Patch Tuesday cumulative update. Note that patching closes BlueHammer (CVE-2026-33825) only - RedSun and UnDefend remain unpatched at time of writing, so patched hosts are still exposed to local privilege escalation via RedSun and to Defender disablement via UnDefend.
Fix: Deploy the April 2026 Patch Tuesday update (which addresses CVE-2026-33825) to every Windows endpoint and verify coverage against MDM or configuration-management inventory rather than trusting WSUS compliance alone. For the two unpatched sibling flaws, tighten EDR rules to alert on: anomalous file writes to Defender-controlled paths, unexpected changes to Defender signature update behavior, and any process attempting to stop or starve MsMpEng.exe. Treat any host where Defender has not received a signature update in over 48 hours as suspicious until proven otherwise. Review Huntress's public IoCs for the three techniques.