John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
It took exactly two weeks for CVE-2026-33825 (known as BlueHammer) to go from a leaked proof-of-concept to a confirmed zero-day on CISA’s “must-patch” list. That is a terrifyingly fast turnaround even by today’s standards.
The bug lives inside Windows Defender, which is an irony that shouldn’t be lost on anyone. It exploits a race condition called a TOCTOU (Time-of-Check to Time-of-Use) bug. Essentially, an attacker can trick Defender into using its high-level system privileges to touch the SAM database—the place where Windows hides your password hashes.
Instead of protecting you, Defender ends up handing over the keys to the castle. Once an attacker has those hashes, they can move laterally across your network like they own the place.
The most uncomfortable part is that the exploit doesn’t involve breaking Defender; it involves using Defender. Security software needs deep system access to work, and this bug turns that requirement into an attack vector.
If you’re running Windows, you need to patch this yesterday. But don’t stop there. You need to check your logs for weird access to the SAM database and consider rotating your local credentials. A patch stops the leak, but it won’t invalidate the hashes if they’ve already been stolen.