Researcher’s PoC fuels in‑the‑wild defender privilege attacks.

A privilege escalation flaw in Microsoft Defender, disclosed on April 2 and patched on April 14, was exploited as a zero‑day using public proof‑of‑concept code. The bug, CVE‑2026‑33825, stems from a TOCTOU issue in Defender’s signature update process and was released by a researcher who published multiple exploit techniques under the names BlueHammer, RedSun, and UnDefend. Huntress observed attackers attempting to use all three methods after accessing environments through compromised FortiGate SSL VPNs, though the intruders appeared unfamiliar with the exploits and failed to gain full system control. CISA has added the vulnerability to its Known Exploited list and ordered federal agencies to apply the patch by May 6.

Read more:

https://www.securityweek.com/recent-microsoft-defender-vulnerability-exploited-as-zero-day/