Ransomware Gangs Exploiting Microsoft Defender 'BlueHammer' Zero-Day, CISA Confirms
Ransomware groups have begun actively exploiting a high-severity privilege escalation vulnerability in **Microsoft Defender**, known as 'BlueHammer' (**CVE-2026-33825**). This flaw, initially leaked by a disgruntled security researcher, allows local attackers to gain SYSTEM privileges, posing a significant risk to unpatched **Windows** systems. The **Cybersecurity and Infrastructure Security Agency (CISA)** has now confirmed its exploitation in ransomware campaigns.

**CISA** confirmed on Monday that ransomware gangs are actively exploiting a critical privilege escalation vulnerability in **Microsoft Defender**, designated **CVE-2026-33825**.
### The 'BlueHammer' Vulnerability
Dubbed **BlueHammer**, this security flaw was publicly disclosed in early April by a security researcher known as "**Nightmare Eclipse**." The researcher released proof-of-concept exploit code, reportedly in protest against the **Microsoft Security Response Center (MSRC)**'s vulnerability disclosure processes.
**Microsoft** describes the flaw as an "insufficient granularity of access control in Microsoft Defender," which allows an authorized local attacker to elevate privileges.
### Escalating Privileges to SYSTEM
**Will Dormann**, Principal Vulnerability Analyst at **Tharros**, explained in April that while the issue isn't trivial to exploit, it grants local attackers access to the **Security Account Manager (SAM)** database. This database contains password hashes for local accounts, enabling attackers to escalate to **SYSTEM** privileges and potentially seize complete control of the targeted system.
βAt that point, [the attackers] basically own the system, and can do things like spawn a SYSTEM-privileged shell,β Dormann stated.

*Exploit demo (Will Dormann)*
**Microsoft** issued a patch for **CVE-2026-33825** on April 14 as part of its April 2026 Patch Tuesday updates. However, shortly after, **Huntress Labs** security researchers reported that threat actors were already exploiting the flaw as a zero-day in attacks demonstrating "hands-on-keyboard threat actor activity."
### Nightmare Eclipse's Disclosures
Over recent months, **Nightmare Eclipse** has disclosed several other **Windows** zero-day exploits, including those affecting **Microsoft Defender** (**RoguePlanet**, **RedSun**, **UnDefend**) and **BitLocker** or other **Windows** components (**GreenPlasma**, **MiniPlasma**, **YellowKey**).
**Microsoft** addressed the **GreenPlasma**, **MiniPlasma**, and **YellowKey** vulnerabilities in its June 2026 Patch Tuesday updates.
### CISA Flags Exploitation by Ransomware Gangs
**CISA** initially added the **BlueHammer** flaw to its **Known Exploited Vulnerabilities (KEV) Catalog** on April 22. Federal Civilian Executive Branch (**FCEB**) agencies were mandated to patch their **Windows** devices by May 7. At the time, **CISA** warned that "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."
In a recent update to its **KEV Catalog**, **CISA** has now explicitly flagged **CVE-2026-33825** as being exploited in ransomware campaigns. While **Microsoft** has yet to officially tag this specific flaw as exploited in attacks, **CISA** has previously identified eight **Microsoft Defender** vulnerabilities exploited in attacks, with two of those also being targeted by ransomware groups.