[CDP-development] TLP:GREEN (ZERO-DAY Alert Notification) CVE-2026-33825: Microsoft Defender Insufficient Granularity of Access Control Vulnerability

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Thu Apr 23 10:25:21 PDT 2026 

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2026-33825: Microsoft Defender Insufficient Granularity of Access Control Vulnerability. Due to active exploitation of the vulnerability and knowledge of the software in the state environment, we are providing this in-depth information.

History: Publicly disclosed on April 14, 2026, as part of Microsoft's Patch Tuesday, following a zero-day leak by researcher 'Chaotic Eclipse'. The CVSS v3.x base score is 7.8 (HIGH).
** NOTE: This vulnerability requires AGENCY/BOARD/COMISSION action as it is NOT remediated at the tenant level.

Affected Versions

  *   Last version of the Microsoft Defender Antimalware Platform affected by this vulnerability: Version 4.18.26020.6

Fixed Versions

  *   First version of the Microsoft Defender Antimalware Platform with this vulnerability addressed: Version 4.18.26030.3011

Vendor Advisory: Microsoft Defender Elevation of Privilege Vulnerability<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825>

Intelligence: On April 22, 2026, CISA confirmed the vulnerability in the Known Exploited Vulnerabilities Catalog.

Exploitability: Local
Complexity: Low
User Interaction: None
Remotely Exploitable: No (Local access required)
Proof of Concept: Publicly Available (GitHub - BlueHammer)
Zero Day: Yes

Workarounds: Restrict local logon rights to trusted users; Monitor for unauthorized use of NTFS junctions and symbolic link creation by low-privilege users.
How it Works: The exploit targets the Defender signature update process. An attacker uses an 'opportunistic lock' (oplock) on a directory Defender is about to read. When Defender attempts to access the file, the oplock pauses the operation. The attacker then replaces the legitimate file with an NTFS junction pointing to a protected system file (e.g., C:\Windows\System32\config\SAM). Defender resumes the operation with SYSTEM privileges, reads the sensitive file, and inadvertently caches or logs the contents in a location accessible to the user.
Post-Exploit Impact:

  *   Extraction of NTLM hashes from the SAM database (CWE-1220 (Insufficient Granularity of Access Control))
  *   Full SYSTEM-level shell access and credential theft (CWE-367 (TOCTOU Race Condition))

Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
Filename
BlueHammer.exe
Common compiled exploit binary name from leaked PoC
GitHub / Threat Research
File Name
FunnyApp.exe
Alternate name used in real-world staging of the exploit
SOC Prime / Huntress
File Hash (SHA256)
e3b0c442... (Example)
Monitor for hashes associated with the "Nightmare-Eclipse" GitHub repository.
Threat Intel Feeds
AV Detection
Exploit:Win32/DfndrPEBluHmr.BB
Microsoft Defender signature specifically for the BlueHammer PoC.
Microsoft / Cyderes
Registry Path
\HarddiskVolumeShadowCopy*
Unusual enumeration of VSS snapshots by non-system processes.
Cyderes
Registry Key
HKLM\SAM\SAM\Domains\Account\Users
Unauthorized access to this key by Defender processes triggered by non-admin users
SentinelOne
Process Activity
cmd.exe
Spawned from a temporary Windows Service with SYSTEM integrity.
Help Net Security
Event ID
4672
"Special privileges assigned to new logon" associated with unexpected SYSTEM access.
SentinelOne
Behavioral
SamiChangePasswordUser
API calls to forcefully change the local Administrator password.
Cyderes
Behavioral
LogonUserEx
Rapid login/logout activity for the local Administrator account.
Field Effect
Tenable Plugins:
Plugin ID
Plugin Title
Severity
Platform
306740<https://www.tenable.com/plugins/nessus/306740>
Security Updates for Windows Defender (April 2026)
High
Nessus
Recommended Actions:

Date Added to KEV Catalog: April 22, 2026
Due Date for Remediation: May 6, 2026

  *   Ensure Microsoft Defender Antimalware Platform are updated to version 4.18.26030.3011 or higher.
  *   Audit logs for Event ID 4656/4663 (Object Access) targeting the SAM hive by processes other than lsass.exe.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image004.png at 01DCD30A.908AA010] [cid:image002.png at 01DCD30A.908AA010]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260423/d934720b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 32625 bytes
Desc: image002.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260423/d934720b/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 280765 bytes
Desc: image004.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260423/d934720b/attachment-0003.png>

More information about the CDP-development mailing list