**CISA** has given U.S. government agencies two weeks to secure their **Windows** systems against a **Microsoft Defender** privilege escalation vulnerability that has been exploited in zero-day attacks. Tracked as **CVE-2026-33825**, this high-severity security flaw allows low-privileged local threat actors to gain SYSTEM permissions on unpatched devices by exploiting an insufficient granularity of access control weakness. **Microsoft** patched the vulnerability on April 14 as part of this month's Patch Tuesday, one week after a security researcher using the "Chaotic Eclipse" handle dubbed it "BlueHammer" and published proof-of-concept exploit code in protest to how **Microsoft's** Security Response Center (MSRC) handled the disclosure process. Chaotic Eclipse also disclosed a second **Microsoft Defender** privilege escalation flaw (dubbed RedSun) and a third flaw (known as UnDefend) that can be exploited as a standard user to block Defender definition updates. At the time of the leak, all three vulnerabilities were considered zero-days by **Microsoft's** definition, since they had no official patches. Additionally, as **Huntress Labs** security researchers revealed on April 16, attackers had also been exploiting these zero-days in attacks that showed evidence of "hands-on-keyboard threat actor activity." "The activity also appeared to be part of a broader intrusion rather than isolated proof-of-concept (PoC) testing," the cybersecurity company said in a Monday report. "**Huntress** identified suspicious **FortiGate** SSL VPN access tied to the compromised environment, including a source IP geolocated to Russia, with additional suspicious infrastructure observed in other regions." **CISA** has now added the BlueHammer vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on Monday, ordering Federal Civilian Executive Branch (FCEB) agencies to patch their **Windows** systems against ongoing CVE-2026-33825 attacks within two weeks, until May 7. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," **CISA** warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." One week ago, **CISA** also warned that a **Windows** Task Host privilege-escalation vulnerability (**CVE-2025-60710**) that grants attackers SYSTEM privileges on unpatched **Windows 11** and **Windows Server 2025** devices is also now actively exploited in the wild.