A high-severity vulnerability in Microsoft Defender has given ransomware gangs a potent tool for taking control of Windows systems. The flaw, known as BlueHammer, allows attackers with authorized access to escalate their privileges and potentially gain complete control over the targeted system.
The issue was first identified by security researcher Nightmare Eclipse, who leaked proof-of-concept exploit code in early April. Microsoft subsequently patched the vulnerability on April 14, but it appears that threat actors were already exploiting it as a zero-day attack just days later. CISA, the US cybersecurity agency, added BlueHammer to its Known Exploited Vulnerabilities (KEV) Catalog on April 22, ordering federal agencies to patch their Windows devices within two weeks.
The vulnerability affects how Microsoft Defender manages access control, allowing an attacker with authorized access to elevate privileges locally and gain access to the Security Account Manager (SAM) database. This database contains password hashes for local accounts, which can be used by attackers to escalate their privileges further. As Will Dormann, principal vulnerability analyst at Tharros, explained in April, this gives attackers “basically own[ing] the system” and allowing them to take complete control of it.
The fact that ransomware gangs are now exploiting BlueHammer is a worrying development, as it suggests that they have developed effective exploits for the vulnerability. CISA’s decision to add BlueHammer to its KEV Catalog indicates that the agency believes it poses a significant risk to federal systems. In recent years, CISA has flagged several Microsoft Defender vulnerabilities that have been exploited in attacks, with two of them also targeted by ransomware gangs.
The exploitation of BlueHammer highlights the ongoing threat posed by zero-day exploits and the need for organizations to stay up-to-date with patches and updates. As CISA warned when it added BlueHammer to its KEV Catalog, “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”
For security teams, this serves as a reminder to prioritize patching and testing their defenses against known vulnerabilities. By regularly testing every layer of their systems, they can identify potential weaknesses before attackers do.
Source: Bleeping Computer — 2026-06-30