CISA orders federal agencies to patch exploited BlueHammer flaw
▼ Summary
– CISA ordered U.S. federal agencies to patch Windows systems within two weeks against a Microsoft Defender privilege escalation flaw (CVE-2026-33825) exploited in zero-day attacks.
– The vulnerability allows low-privileged local attackers to gain SYSTEM permissions due to insufficient access control granularity.
– A researcher named “Chaotic Eclipse” published proof-of-concept exploit code for this and two other Defender flaws, protesting Microsoft’s disclosure handling.
– Huntress Labs reported that attackers exploited these zero-days in hands-on-keyboard intrusions, including suspicious FortiGate SSL VPN access linked to Russia.
– CISA added the flaw to its Known Exploited Vulnerabilities catalog, citing it as a frequent attack vector posing significant risk to federal enterprises.
CISA has mandated that all U.S. federal agencies secure their Windows systems within two weeks, responding to a Microsoft Defender privilege escalation vulnerability that is already being exploited in zero-day attacks.
The security flaw, designated as CVE-2026-33825, carries a high-severity rating. It enables low-privileged local attackers to elevate their access to SYSTEM-level permissions on unpatched machines by taking advantage of an insufficient granularity of access control weakness.
Microsoft addressed this vulnerability on April 14 as part of its monthly Patch Tuesday release. The fix came one week after a security researcher known as “Chaotic Eclipse” publicly released proof-of-concept exploit code under the name “BlueHammer.” The researcher stated the disclosure was a protest against how Microsoft’s Security Response Center (MSRC) handled the reporting process.
Chaotic Eclipse also revealed two additional Microsoft Defender privilege escalation flaws: “RedSun” and “UnDefend.” The latter can be exploited by a standard user to block Defender definition updates. At the time of the leak, all three vulnerabilities were considered zero-days because no official patches had been released.
On April 16, researchers at Huntress Labs disclosed that attackers had been actively exploiting these zero-days in real-world attacks. The activity showed signs of “hands-on-keyboard threat actor activity,” according to the cybersecurity firm.
“The activity also appeared to be part of a broader intrusion rather than isolated proof-of-concept (PoC) testing,” Huntress said in a Monday report. “Huntress identified suspicious FortiGate SSL VPN access tied to the compromised environment, including a source IP geolocated to Russia, with additional suspicious infrastructure observed in other regions.”
CISA has now added the BlueHammer vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. The agency has ordered Federal Civilian Executive Branch (FCEB) agencies to patch their Windows systems against ongoing attacks by May 7, giving them exactly two weeks.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned. “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
Just one week ago, CISA also issued a warning about another actively exploited vulnerability. Tracked as CVE-2025-60710, this Windows Task Host privilege-escalation flaw grants attackers SYSTEM privileges on unpatched Windows 11 and Windows Server 2025 devices.
(Source: BleepingComputer)
