Why Is CVE-2026-33825 a Concern for Microsoft Defender?

The most pressing fix is CVE-2026-32201, a spoofing vulnerability in Microsoft SharePoint Server caused by improper input validation that allows an unauthenticated attacker to perform spoofing over a network. Despite carrying a relatively modest CVSS score of 6.5, the flaw has been exploited in the wild and was added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog on April 14, with a remediation deadline of April 28.

Mat Lee, senior security engineer at Automox, warned that the CVSS score understates the risk because the vulnerability requires no authentication or special privileges. "External threats can target internet-facing SharePoint instances directly. On-premises SharePoint servers exposed to the internet carry the highest risk," Lee said. In a potential attack scenario, malicious JavaScript could execute in a victim's browser when visiting a compromised SharePoint page, enabling session cookie theft, phishing redirects, or even ransomware delivery. Microsoft released patches for SharePoint 2016, 2019, and SharePoint Server Subscription Edition.

The second zero-day, CVE-2026-33825, is an elevation of privilege flaw in Microsoft Defender rated 7.8 on the CVSS scale. While Microsoft's advisory noted only that the vulnerability had been publicly disclosed, Tenable researchers identified it as matching "BlueHammer," a proof-of-concept exploit published on GitHub on April 3 by a researcher using the alias "Chaotic Eclipse". The researcher released the code after becoming frustrated with Microsoft's vulnerability disclosure process.

BlueHammer exploits a race condition in Microsoft Defender's update mechanism to extract password hashes from the Windows Security Account Manager database, ultimately escalating a low-privileged user to full SYSTEM access in under 60 seconds. Vulnerability analyst Will Dormann confirmed the exploit worked on patched Windows 10, 11, and Windows Server systems prior to today's fix.

Among eight critical vulnerabilities patched, CVE-2026-33824 stands out as a remote code execution flaw in the Windows Internet Key Exchange service with a CVSS score of 9.8. An unauthenticated attacker can exploit it by sending crafted packets to a target running IKE version 2. Microsoft recommended firewall rules blocking UDP ports 500 and 4500 for organizations unable to patch immediately. Other critical fixes address Windows Active Directory, Windows TCP/IP, and Microsoft Office.

Dustin Childs of TrendAI's Zero Day Initiative described the April release as "monstrous" in scope. Security teams are advised to prioritize the actively exploited SharePoint flaw and the now-patched BlueHammer vulnerability, given that ransomware operators routinely weaponize public exploit code within days of release.