CISA: Windows BlueHammer flaw now exploited by ransomware gangs

CISA confirmed on Monday that ransomware gangs have begun exploiting a high-severity Microsoft Defender privilege escalation vulnerability that has previously been abused in zero-day attacks.

Dubbed BlueHammer, the security flaw (CVE-2026-33825) was leaked by a security researcher known as "Nightmare Eclipse" in early April, together with proof-of-concept exploit code, in protest at how the Microsoft Security Response Center (MSRC) handles the disclosure process.

"Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally," Microsoft explains in a security advisory.

Will Dormann, principal vulnerability analyst at Tharros, told BleepingComputer in April that while the issue is not easy to exploit, it gives local attackers access to the Security Account Manager (SAM) database, which contains password hashes for local accounts.

With this access, they can escalate to SYSTEM privileges and potentially take complete control of the targeted system.

“At that point, [the attackers] basically own the system, and can do things like spawn a SYSTEM-privileged shell,” Dormann said.

Exploit demo (Will Dormann)

Microsoft patched the vulnerability on April 14 as part of the April 2026 Patch Tuesday. However, days later, Huntress Labs security researchers revealed that threat actors had been exploiting it as a zero-day in attacks that showed evidence of "hands-on-keyboard threat actor activity."

Over the past several months, Nightmare Eclipse has disclosed multiple other Windows zero-day exploits, including for the RoguePlanet, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend flaws.

Some of these vulnerabilities affect Microsoft Defender, while others target BitLocker and Windows components.

Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey security flaws three weeks ago as part of the June 2026 Patch Tuesday updates.

Flagged as exploited by ransomware gangs

CISA added the BlueHammer flaw to its Known Exploited Vulnerabilities (KEV) Catalog on April 22, ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Windows devices against ongoing CVE-2026-33825 attacks within two weeks, until May 7.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the U.S. cybersecurity agency warned at the time.

While Microsoft has yet to tag this security flaw as exploited in attacks, CISA has now also flagged it as exploited in ransomware campaigns in a Monday update to its KEV Catalog.

In recent years, CISA has flagged eight Microsoft Defender vulnerabilities that have been exploited in attacks, with two of them also targeted by ransomware gangs.