CISA Orders Emergency Patch for “BlueHammer” Windows Zero-Day Exploit

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all U.S. federal agencies to urgently patch a critical Windows vulnerability already exploited in real-world attacks. The directive sets a strict two-week deadline, requiring remediation by May 7.

Critical flaw allows full system takeover

The vulnerability, tracked as CVE-2026-33825 and nicknamed “BlueHammer,” is a local privilege escalation (LPE) flaw. Attackers with limited access can exploit it to gain full SYSTEM-level control over affected machines.

Microsoft released a patch for the issue on April 14 as part of its Patch Tuesday updates. However, security researchers confirmed the flaw was already exploited before the fix became available, making it a zero-day vulnerability.

Active attacks raise concerns of targeted intrusions

Investigators observed real-world exploitation involving hands-on keyboard activity, suggesting attackers actively navigated compromised systems rather than relying on automated tools. Reports point to suspicious infrastructure and compromised VPN access, raising the possibility of coordinated or state-linked operations.

The severity comes from how attackers typically use such flaws. After gaining initial access, they deploy privilege escalation vulnerabilities like BlueHammer to take full control of systems and expand their reach across networks.

Additional threats complicate the situation

Alongside BlueHammer, researchers disclosed other dangerous Windows vulnerabilities, including RedSun, another privilege escalation flaw, and UnDefend, which can interfere with Microsoft Defender updates.

Not all of these issues have been fully patched, yet some already show signs of active exploitation in the wild. This combination increases the overall risk for enterprise and government environments.

Federal mandate: patch or disconnect

CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and issued binding instructions under BOD 22-01. Agencies must apply patches immediately or remove affected systems from networks if they cannot secure them in time.

The directive highlights the urgency. SYSTEM-level access effectively gives attackers full control over compromised machines, making this type of vulnerability especially dangerous for critical infrastructure and government systems.

Broader impact on enterprise security

This incident reinforces a familiar pattern. Attackers rarely rely on a single exploit. Instead, they combine initial access with privilege escalation to achieve deeper persistence and control.

For enterprises, the takeaway is clear. Even a single unpatched system can become an entry point for widespread compromise, especially when zero-day vulnerabilities are involved.

Via Bleeping Computer