CISA: Windows BlueHammer flaw now exploited by ransomware gangs

A high-severity vulnerability in Microsoft Defender, dubbed BlueHammer, has been exploited by ransomware gangs, according to a recent update from the US Cybersecurity and Infrastructure Security Agency (CISA). The flaw, which was first disclosed in April by a security researcher known as “Nightmare Eclipse,” allows an authorized attacker to elevate privileges locally on a Windows system. This means that even if an attacker has limited access to a network, they can potentially gain complete control of the targeted system.

The BlueHammer vulnerability (CVE-2026-33825) was patched by Microsoft on April 14 as part of its April Patch Tuesday updates. However, it appears that threat actors were exploiting this flaw as a zero-day attack just days later. CISA added the BlueHammer flaw to its Known Exploited Vulnerabilities (KEV) Catalog on April 22, warning Federal Civilian Executive Branch (FCEB) agencies to patch their Windows devices against ongoing attacks within two weeks.

The exploitation of BlueHammer by ransomware gangs is particularly concerning because it allows attackers to escalate privileges and gain access to the Security Account Manager (SAM) database. This database contains password hashes for local accounts, which can be used to compromise the system further. With complete control over a Windows system, attackers can do things like spawn a SYSTEM-privileged shell, giving them free rein to modify or destroy sensitive data.

It’s worth noting that this is not an isolated incident. CISA has flagged several Microsoft Defender vulnerabilities in recent years as being exploited in attacks, with two of them targeted by ransomware gangs. This highlights the need for organizations to prioritize patching and vulnerability management, especially when it comes to high-severity flaws like BlueHammer.

The fact that a security researcher leaked the BlueHammer exploit code in protest over Microsoft’s disclosure process has raised questions about the handling of vulnerability disclosures. While the intention behind such leaks is often to raise awareness and prompt action from vendors, they can also inadvertently aid malicious actors by providing them with useful exploits.

For organizations, this serves as a reminder to test their defenses regularly and stay up-to-date on patches and updates. With the pace at which new vulnerabilities are being discovered and exploited, it’s essential to be proactive in your security posture. Regularly testing every layer of your environment can help identify potential weaknesses before attackers do, giving you time to respond and mitigate the risk.


Source: Bleeping Computer — 2026-06-30