Second Defender-based LPE in days
The Defender flaw addressed earlier this week as part of Patch Tuesday was one of the two zero-day bugs Microsoft fixed, and it also allowed local privilege escalation stemming from “insufficient granularity of access control.”
While Microsoft attributed the discovery of the flaw, tracked as CVE-2026-33825, to security researcher Zen Dodd, the flaw already had a PoC exploit, “BlueHammer,” available before it was even fixed. It came from “Chaotic Eclipse,” an alias used by Nightmare Eclipse on other publishing platforms. The flaw received a high-severity rating of 7.8 out of 10.
Eclipse has some disagreements with how Microsoft handled the disclosure of CVE-2026-33825. While it is unknown if “RedSun” was reported to Microsoft before disclosure, the PoC still sits unaddressed.
Microsoft did not immediately respond to CSO’s requests for comments. Dormann confirmed that the exploit is being detected on VirusTotal, but relies heavily on a test file signature (EICAR), which can be handled to some extent with string encryption. “Defender (Microsoft) currently doesn’t detect the exploit in either case,” he noted.
