CVE-2026-33825

Name of the Vulnerable Software and Affected Versions Microsoft Defender versions prior to 4.18.26030.3011

Description Insufficient granularity of access control in Microsoft Defender allows an authorized local attacker to elevate privileges to SYSTEM level. The issue, dubbed BlueHammer, involves a time-of-check to time-of-use (TOCTOU) race condition within the signature update and file remediation mechanisms. Attackers can exploit this by chaining the Windows Cloud Files API, NTFS junction points, and opportunistic locks (oplocks) to manipulate Volume Shadow Copy (VSS) snapshots. This process allows the attacker to bypass security checks and access protected registry hives, such as the SAM, SYSTEM, and SECURITY hives, to dump credentials and gain full administrative control. The flaw has been actively exploited in the wild, with some incidents linked to compromised FortiGate SSL VPN connections and the deployment of the BeigeBurrow proxy agent.

Recommendations Update Microsoft Defender to version 4.18.26030.3011 or higher.