CrowdStrike Is Now Giving Advice on Windows Defender Vulnerabilities. Read That Again.

A disgruntled security researcher publicly dropped a privilege escalation zero-day in Microsoft Windows Defender this week. Microsoft patched it in April's Patch Tuesday. CISA added it to the KEV catalog. The vulnerability — CVE-2026-33825, nicknamed BlueHammer — allows local privilege escalation through the very software that's supposed to protect the endpoint.

CrowdStrike published a Patch Tuesday analysis covering BlueHammer. Professional. Thorough. Technically accurate.

And I need everyone to pause and appreciate what's happening here.

The company that pushed a faulty kernel-level update that crashed 8.5 million Windows machines in July 2024 — including every machine running Windows Defender alongside Falcon — is now publishing security guidance about a vulnerability in Windows Defender.

This is the same company that, less than 24 hours ago, we caught reading our blog post about their OpenClaw advisory from inside their Salesforce CRM. The same company whose Channel File 291 bypassed their own content validation and caused $10 billion in global damage. The same company that took hospitals offline, grounded 5,078 flights, and knocked out 911 systems.

They're giving Defender advice now.

What BlueHammer Actually Is

CVE-2026-33825 is a privilege escalation vulnerability in Windows Defender. A local attacker who already has a foothold on the machine can escalate to SYSTEM privileges through the Defender service. The researcher who found it disclosed it publicly before Microsoft had a patch — a "disgruntled disclosure" that gave attackers a head start.

This is a real vulnerability. It's in the KEV catalog. Federal agencies must patch by their deadline. If you run Windows Defender, update immediately.

We had it in our KEV index before CrowdStrike published their analysis.

The Pattern

This is the second time in two days CrowdStrike has published security guidance that we've covered first. Yesterday it was OpenClaw. Today it's BlueHammer.

The pattern isn't that CrowdStrike's analysis is wrong. It's usually right. The pattern is that a company with a $10 billion outage on its record keeps positioning itself as the voice of reason on everyone else's security failures.

BlueHammer is a local privilege escalation. Dangerous, yes. Patchable, yes. Bounded to machines where the attacker already has access.

CrowdStrike's July 2024 outage was a remote, vendor-initiated, kernel-level crash pushed to every machine simultaneously. No attacker needed. No access required. CrowdStrike was the attacker and the victim at the same time.

One of these is a vulnerability. The other was a vendor-inflicted catastrophe. CrowdStrike would like you to focus on the vulnerability.

What To Do

Patch Windows Defender. CVE-2026-33825. April Patch Tuesday. Do it today.

Then ask your endpoint security vendor — whichever one it is — what their content validation process looks like. Because the next BlueHammer is a local priv-esc that requires a foothold. The next Channel File 291 is a vendor pushing bad code to your entire fleet at 4 AM on a Friday.

One of those risks you can mitigate with a patch. The other you mitigate by choosing your vendors carefully.

— Patrick

Our KEV coverage: CVE-2026-33825 indexed. CVE-2026-32201 (SharePoint zero-day) indexed. CVE-2026-5281 (Chrome zero-day) indexed. CVE-2026-20184 (Cisco ISE) indexed. CVE-2026-33032 (nginx-ui) indexed. 5 for 5 on today's headlines.

DugganUSA STIX Feed: analytics.dugganusa.com/api/v1/stix-feed