PT-2026-32884 · Microsoft · Defender
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
microsoft defender antimalware platform versions prior to 4.18.26030.3011
Description
Microsoft Defender contains an insufficient granularity of access control flaw, specifically a time-of-check to time-of-use (TOCTOU) race condition within the signature update and remediation workflow. This issue allows an authorized local attacker with low privileges to escalate their permissions to
NT AUTHORITYSYSTEM level. The exploitation process, dubbed BlueHammer, involves chaining the Windows Cloud Files API, Opportunistic Locks (Oplocks), and Volume Shadow Copy (VSS) snapshots. By pausing the Defender process during a signature update or scan, an attacker can access the mounted VSS snapshot to read locked registry hives, such as SAM, SYSTEM, and SECURITY, to extract local administrator hashes.This flaw has been actively exploited in the wild as a zero-day by ransomware groups to disable endpoint protection and deliver payloads. Real-world incidents have linked these attacks to compromised FortiGate SSL VPN connections with IP addresses geolocated in Russia.
Recommendations
Update the Defender platform to version 4.18.26030.3011 or higher.
Use Group Policy to restrict the Volume Shadow Copy Service to specific administrative users only.
Monitor for any process calling
vssvc.exe that is not a known backup tool.
Audit logs for unusual CldFlt (Cloud Files Mini Filter) activity originating from non-system directories.Fix
LPE
DoS
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Defender