CISA Says Microsoft Defender BlueHammer Flaw Is Now Used in Ransomware Attacks

CISA says ransomware gangs are now exploiting a Microsoft Defender privilege escalation vulnerability known as BlueHammer, as BleepingComputer reports.

The flaw, tracked as CVE-2026-33825, was patched by Microsoft on April 14, 2026, as part of the company’s April Patch Tuesday updates. However, security researchers later reported that attackers had already used the bug as a zero-day before the fix became available.

BlueHammer is a high-severity vulnerability in Microsoft Defender. According to Microsoft, the issue comes from insufficient access control granularity, which can allow an authorized local attacker to elevate privileges on a targeted Windows system.

BlueHammer Was Added to CISA’s Exploited Vulnerabilities List

CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog on April 22, shortly after Microsoft released its patch.

The agency has now updated the entry to warn that the vulnerability is being used in ransomware campaigns. That makes the flaw more urgent for organizations that have not yet installed April’s security updates.

Microsoft has not yet marked CVE-2026-33825 as exploited in attacks, even though CISA’s latest update links the flaw to ransomware activity.

Attackers Can Use the Flaw to Gain Higher Privileges

BlueHammer requires local access, so an attacker must already have some level of access to the device. However, once inside, the vulnerability can help them gain far more control.

Security researcher Will Dormann said the flaw is not easy to exploit, but successful exploitation can expose the Security Account Manager database. The SAM database stores password hashes for local Windows accounts.

Attackers could use that access to escalate to SYSTEM privileges. SYSTEM-level access gives attackers broad control over the compromised Windows machine, which can help ransomware operators disable defenses, move deeper into networks, or prepare systems for encryption.

Researchers Reported Zero-Day Exploitation

Huntress Labs previously reported that threat actors had already exploited CVE-2026-33825 before Microsoft issued a patch.

Those attacks reportedly showed signs of hands-on-keyboard activity, which means attackers were actively controlling parts of the intrusion instead of relying only on automated malware.

The vulnerability also drew attention after a security researcher known as Nightmare Eclipse leaked details in early April. The leak reportedly included proof-of-concept exploit code and was described as a protest against Microsoft’s vulnerability disclosure process.

Organizations Should Apply the April Patch Tuesday Update

The main fix for BlueHammer arrived with Microsoft’s April 14, 2026 Patch Tuesday release.

Organizations should make sure all affected Windows systems have received the relevant Defender security update. Security teams should also review endpoint logs for signs of privilege escalation, suspicious local account access, and attempts to dump or access password hashes.

Because CISA now links the flaw to ransomware campaigns, unpatched systems may face a higher risk of post-compromise escalation. Even though BlueHammer does not allow remote compromise by itself, it can give attackers the permissions they need after gaining initial access through phishing, stolen credentials, exposed services, or malware.