Ransomware gangs exploit Windows BlueHammer flaw, CISA warns

▼ Summary
– CISA confirmed ransomware gangs are exploiting the Microsoft Defender vulnerability CVE-2026-33825 (BlueHammer), which was previously used in zero-day attacks.
– The flaw was leaked by researcher “Nightmare Eclipse” in April with exploit code, protesting Microsoft’s disclosure process.
– The vulnerability allows local attackers to access the SAM database, escalate to SYSTEM privileges, and fully control the targeted system.
– Microsoft patched it on April 14, 2026, but Huntress Labs reported it was already exploited as a zero-day with hands-on-keyboard activity.
– CISA added BlueHammer to its Known Exploited Vulnerabilities catalog on April 22, later flagging it as exploited in ransomware campaigns.
The U.S. Cybersecurity and Infrastructure Security Agency has confirmed that ransomware groups are now actively weaponizing a high-severity Microsoft Defender privilege escalation vulnerability, a flaw that had already been used in zero-day attacks before a patch was released.
Tracked as CVE-2026-33825 and nicknamed BlueHammer, the bug was first made public in early April by a security researcher operating under the alias “Nightmare Eclipse.” The researcher published both details and a proof-of-concept exploit as a protest against how Microsoft’s Security Response Center handles vulnerability disclosures.
According to Microsoft’s advisory, the issue stems from insufficient granularity of access control within Microsoft Defender. This allows an authenticated attacker to elevate privileges locally, potentially gaining SYSTEM-level control over a target machine.
Will Dormann, principal vulnerability analyst at Tharros, explained to BleepingComputer that although the exploit is not trivial to execute, it provides local attackers with access to the Security Account Manager (SAM) database, which stores password hashes for local accounts. From there, they can escalate privileges and take full control of the system.
“At that point, [the attackers] basically own the system, and can do things like spawn a SYSTEM-privileged shell,” Dormann said.
Microsoft addressed the vulnerability in its April 2026 Patch Tuesday updates, released on April 14. But within days, researchers at Huntress Labs reported that threat actors had already been exploiting the flaw as a zero-day, with evidence pointing to hands-on-keyboard threat actor activity.
Nightmare Eclipse has been responsible for disclosing several other Windows zero-day exploits over recent months, including bugs named RoguePlanet, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend. Some affect Microsoft Defender, while others target BitLocker and other Windows components. Microsoft fixed GreenPlasma, MiniPlasma, and YellowKey in the June 2026 Patch Tuesday updates.
CISA first added BlueHammer to its Known Exploited Vulnerabilities (KEV) Catalog on April 22, giving Federal Civilian Executive Branch agencies until May 7 to patch their systems. At the time, the agency warned that such vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to federal networks.
Now, in a Monday update to the KEV Catalog, CISA has flagged BlueHammer as actively exploited in ransomware campaigns. Microsoft has not yet officially marked the flaw as exploited in attacks, but CISA’s latest alert underscores the growing threat.
Over the past several years, CISA has identified eight Microsoft Defender vulnerabilities exploited in the wild, with two of them also targeted by ransomware gangs. BlueHammer now joins that list, serving as a stark reminder that even after patches are released, threat actors move quickly to capitalize on unpatched systems.
(Source: BleepingComputer)




