Microsoft Corporation confirmed on April 23, 2026, that a critical privilege escalation vulnerability in its Microsoft Defender security software is being actively exploited in the wild. The vulnerability, tracked as CVE-2026-33825 and colloquially named BlueHammer, allows an attacker who has already gained a foothold on a system with low-level user privileges to elevate those permissions to the highest level of System authority. This level of access grants a threat actor total control over the compromised machine, including the ability to disable security features, install persistent malware, and access sensitive data across the local network.
The flaw resides within the Microsoft Malware Protection Engine (mpengine.dll), specifically in how the service handles memory during the scanning of specially crafted files. According to technical documentation released by Microsoft’s Security Response Center (MSRC), the vulnerability is a memory corruption issue that can be triggered when Defender attempts to parse a malicious script disguised as a routine system log. Because Microsoft Defender runs with high privileges by design to monitor system activity, the exploitation of this engine provides a direct path for attackers to bypass standard Windows security boundaries.
Microsoft reported that the vulnerability affects Microsoft Defender Antimalware Platform versions prior to 4.18.2604.5. The affected engine versions include all builds earlier than 1.1.23040.1. These components are integrated into Windows 10, Windows 11, and Windows Server 2019 and 2022. The company stated that the update is being delivered automatically to most consumer and enterprise endpoints through the standard Microsoft Update service. However, administrators in air-gapped environments or those using manual update management tools are urged to verify that the Malware Protection Engine has been updated to the latest version immediately.
The discovery of BlueHammer was attributed to researchers at the cybersecurity firm SentinelLabs, who observed the exploit being used in targeted attacks against industrial and financial sectors. While Microsoft did not name a specific threat actor, the company’s threat intelligence team noted that the exploit code appears to have been developed by a sophisticated group capable of bypassing modern memory protections like Address Space Layout Randomization (ASLR).
In an official statement, Microsoft confirmed that it has not seen evidence of widespread automated exploitation but warned that the public disclosure of the vulnerability increases the risk of broader use by ransomware groups. The company noted that the patch released today, April 23, addresses the logic error in the engine's memory allocation. No workarounds are currently recommended other than the immediate application of the security update. Microsoft Defender for Endpoint customers can monitor for exploitation attempts using specific telemetry signals identified in the MSRC advisory.