U.S. CISA Adds a Flaw in Microsoft Defender to Its Known Exploited Vulnerabilities Catalog

The CISA Known Exploited Vulnerabilities (KEV) catalog serves as a government‑mandated watchlist for flaws that threat actors are actively leveraging. By adding CVE‑2026‑33825, a privilege‑escalation bug in Microsoft Defender, the agency signals that the vulnerability has moved beyond theoretical risk to real‑world attacks. This move aligns with the Binding Operational Directive 22‑01, which obligates federal entities to prioritize remediation of cataloged flaws, reinforcing a coordinated defense posture across the public sector.

Microsoft Defender’s role as a core endpoint protection suite makes any compromise especially dangerous. The CVE‑2026‑33825 bug, dubbed "BlueHammer," allows attackers to elevate privileges on compromised machines, effectively bypassing the very defenses it provides. Huntress’ telemetry shows exploitation began on April 10, 2026, and was quickly followed by attacks using related flaws—RedSun and UnDefend—whose proof‑of‑concept code was publicly released by researcher Chaotic Eclipse. The rapid weaponization illustrates how zero‑day disclosures, when coupled with open exploit code, can accelerate threat actor campaigns and increase the attack surface for both government and private networks.

For enterprises, the CISA alert is a clear call to action. Organizations should verify that the April 2026 Patch Tuesday updates are fully deployed, conduct vulnerability scans to confirm the absence of the three Defender flaws, and review their incident‑response playbooks for privilege‑escalation scenarios. Beyond patching, adopting a layered security model—such as restricting administrative token usage and monitoring for anomalous process behavior—can mitigate the impact of any residual exposure. As the federal deadline of May 6, 2026 approaches, proactive remediation will not only ensure compliance but also reduce the likelihood of a breach that could compromise sensitive data across the supply chain.