Ransomware Chains Six Zero-Days: What Stops the Attack

Six Windows exploits in six weeks. One of them has a patch. One does not. And together they form an active ransomware delivery chain that Huntress confirmed exploited in production environments from April 10.

Between April and May 2026, security researcher Nightmare-Eclipse released a coordinated series of Windows privilege escalation, Defender bypass, and BitLocker circumvention techniques designed to chain together into ransomware deployments. Barracuda Networks mapped the full sequence on May 19: the first exploit (CVE-2026-33825, patched in May Patch Tuesday) escalates an unprivileged user to NT AUTHORITY\SYSTEM via a TOCTOU flaw in Defender’s update process. A second technique blinds Defender and prevents detection of new threats — still partially unaddressed. A third bypasses BitLocker on stolen devices. BleepingComputer and Help Net Security have tracked active exploitation throughout May.

This is ultimately a least-privilege failure story. The organizations most exposed are those with standing local admin rights and no independent posture visibility. The chain starts with an unprivileged user — and standing admin is what makes escalation to SYSTEM possible.

The Attack Chain IT Teams Are Facing

Understanding the sequence matters because each step depends on the one before it. This is not six independent vulnerabilities — it is a structured Windows privilege escalation and ransomware delivery path.

Step 1: Privilege Escalation via CVE-2026-33825

The first exploit starts as an unprivileged user and escalates to NT AUTHORITY\SYSTEM via a TOCTOU flaw in Defender’s update process — now patched as CVE-2026-33825 in May 2026 Patch Tuesday. For endpoints that have received the patch, this first step is blocked. The operational question is which endpoints have actually confirmed the fix. The same patch posture challenge we outlined for CVE-2026-41096 applies here: deployed is not the same as applied.

Step 2: Defender Bypass

A second technique disables Defender’s ability to detect new threats once the attacker achieves escalation. This step remains partially unaddressed — there is no complete Microsoft patch. Once Defender is blind, subsequent payloads can execute without triggering standard detections.

Steps 3–6: Persistence, BitLocker Bypass, and Ransomware

With SYSTEM privileges and detection neutralized, the remaining techniques establish persistence, bypass BitLocker on stolen or compromised devices, and deploy ransomware. The BitLocker bypass is particularly relevant for organizations with remote or field devices.

Why Patching Alone Is Not Sufficient Here

The privilege escalation exploit has a patch. Applying it blocks the first step in the chain. But two structural realities limit a patch-only response:

The Defender bypass has no complete patch. Waiting for Microsoft to close this step is not a viable strategy for organizations actively targeted. The chain can still execute on any environment where escalation is possible and Defender is the primary detection layer.

The patch window is always open. As the Verizon Data Breach Investigations Report consistently shows, the gap between patch release and confirmed remediation across an estate is where most exploitation occurs. CVE-2026-33825 is patchable — but not every endpoint in every organization has that patch confirmed applied today.

The structural question is what happens when an attacker reaches an endpoint during that window — or targets an environment where the Defender bypass has no fix to apply. That is where endpoint architecture matters more than patch cadence.

What CapaOne Does — and Does Not Do

CapaOne does not patch Windows OS vulnerabilities — Microsoft distributes those fixes through Windows Update, WSUS, Intune, and Autopatch. For organizations running Microsoft Intune, CapaOne adds the structural controls and posture visibility Intune does not natively provide. Against this ransomware attack chain specifically, three CapaOne capabilities matter — and they address the attack at different points in the escalation sequence.

Privilege Manager: Removing the Escalation Foundation

Privilege Manager removes standing local admin rights and replaces them with policy-based, just-in-time elevation via Entra ID groups. The privilege escalation step starts as an unprivileged user and escalates to SYSTEM via a TOCTOU flaw in Defender’s update process. That escalation path assumes the attacker has a process or context with access to Defender’s update mechanism.

The most effective protection against Windows privilege escalation exploits is removing the standing local admin rights the escalation depends on. Privilege Manager enforces least-privilege by default — replacing always-on admin access with time-limited, policy-governed elevation. Without standing local admin, the TOCTOU flaw becomes structurally harder to reach.

This matters most for the Defender bypass: since that step has no patch, Privilege Manager is not a compensating control waiting for a fix. It is the primary defence available today against the escalation that makes the bypass possible.

Security Monitor: Independent Visibility When Defender Is the Target

When ransomware operators disable Defender, organizations lose the operational evidence needed to quickly determine exposure scope. Security Monitor provides independent endpoint posture visibility — CVE exposure, configuration drift, and device state — that operates outside Defender’s detection layer. That independence is not a nice-to-have when Defender is the attack target. It is the only reliable posture signal available.

Security Monitor also confirms which endpoints have CVE-2026-33825 applied — device-level evidence rather than a deployment progress indicator. That distinction matters when you need to know exposure scope within the hour, not after manually cross-referencing update logs.

Application Manager: Closing the Secondary Exposure Layer

Once SYSTEM-level access is achieved and Defender is blind, outdated third-party applications are the most accessible path for payload delivery and lateral movement. Application Manager keeps the third-party application layer current automatically — reducing the number of exploitable paths available after initial escalation.

What to Do Now

The Windows privilege escalation exploit chain is active. Here is where to focus:

• Confirm CVE-2026-33825 patch posture in Security Monitor. Filter across the estate for endpoints where this first escalation step is still unpatched. Deployment status is not sufficient — you need device-level confirmation.
• Review standing local admin in Privilege Manager. Every endpoint with standing admin rights is a viable starting point for privilege escalation to SYSTEM. Privilege Manager shows which endpoints carry that exposure and removes it without adding helpdesk friction.
• Assess your Defender dependency. The Defender bypass technique has no complete patch. Security Monitor provides the independent posture and configuration visibility that compensates for a blinded Defender — confirm it is active and surfacing posture signals across the endpoints most at risk.
• Audit post-escalation exposure in Application Manager. Once the attacker gains SYSTEM-level access and Defender is blind, this attack chain uses outdated third-party applications as the primary payload delivery path. Check which endpoints are running outdated browsers, document viewers, and communication tools — these are the specific application types Huntress identified as secondary vectors in confirmed ransomware deployments.

The organisations that limit exposure from ransomware attack chains are those that have removed the privilege foundation the escalation depends on — before a patch exists, not after. See how Privilege Manager changes the attack surface available to ransomware operators — or start a free trial and validate whether standing local admin rights still exist across your endpoint estate.