CISA Adds BlueHammer to KEV Catalog Over Ransomware Exploitation

CISA has confirmed that ransomware groups are now actively exploiting a high-severity privilege escalation flaw in Microsoft Defender known as BlueHammer.

CISA updates its Known Exploited Vulnerabilities catalog. The agency placed the BlueHammer vulnerability, tracked as CVE-2026-33825, into its KEV Catalog on April 22. It directed Federal Civilian Executive Branch agencies to apply patches to their Windows systems by May 7. A fresh Monday revision to the catalog specifically identifies the issue as leveraged in ransomware operations. At the time of initial listing, the U.S. cybersecurity agency stated that "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."

BlueHammer vulnerability details and prior exploitation. The defect arises from insufficient granularity of access control inside Microsoft Defender. This reportedly lets an authorized local attacker raise their privileges. A security researcher operating under the alias "Nightmare Eclipse" released the flaw together with proof-of-concept code in early April. Shortly after Microsoft issued its fix, Huntress Labs analysts disclosed that adversaries had already deployed it as a zero-day, with signs of hands-on-keyboard threat actor activity.

Technical impact of successful exploitation. Will Dormann, principal vulnerability analyst at Tharros, told BleepingComputer in April that although the bug is not trivial to trigger, it grants local attackers access to the Security Account Manager database holding password hashes for local accounts. From there, adversaries can raise their rights to SYSTEM level and potentially seize full control of the targeted machine. "At that point, [the attackers] basically own the system, and can do things like spawn a SYSTEM-privileged shell," Dormann said.

Microsoft's response and patch timeline. Microsoft addressed BlueHammer on April 14 during its April 2026 Patch Tuesday release cycle. The company has not labeled the vulnerability as exploited in the wild, yet CISA has now done so regarding ransomware campaigns. Across recent years the agency has listed eight Microsoft Defender flaws used in real intrusions, two of which also drew ransomware attention.

Researcher's pattern of disclosures. Over recent months Nightmare Eclipse has publicly disclosed several additional Windows zero-day vulnerabilities, among them RoguePlanet, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend. A subset impact Microsoft Defender; others strike BitLocker or additional Windows elements. Microsoft resolved GreenPlasma, MiniPlasma, and YellowKey three weeks ago inside the June 2026 Patch Tuesday updates.