A privilege escalation vulnerability in Microsoft Defender, tracked as CVE-2026-33825 and nicknamed BlueHammer, has been incorporated into ransomware campaigns, according to an updated entry in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Background and Disclosure Timeline
BlueHammer is one of several vulnerabilities publicly released by a researcher operating under the names Chaotic Eclipse and Nightmare Eclipse. The researcher disclosed the flaws ahead of any available patches, citing dissatisfaction with Microsoft’s vulnerability handling process. CVE-2026-33825 was made public on April 2, and Microsoft released patches on April 14, at which point the company confirmed that an authenticated attacker could exploit the flaw to escalate privileges on an affected system.
Cybersecurity firm Huntress observed the vulnerability being exploited in the wild as a zero-day before Microsoft’s patches were available. Microsoft’s advisory, last updated on April 30, acknowledges that exploitation is considered more likely but stops short of confirming in-the-wild attacks directly.
CISA KEV Update and Ransomware Connection
CISA added BlueHammer to its KEV catalog on April 22. The agency has since updated that entry to note that the flaw has been leveraged specifically in ransomware campaigns. The responsible ransomware group has not been publicly identified, and no detailed incident reports describing the exploitation have surfaced at this time.
Visibility Gap in KEV Notifications
The update highlights a broader concern among defenders: CISA does not proactively notify users when a KEV entry is updated to reflect ransomware exploitation. This limits the operational value of those updates for security teams monitoring the catalog. Threat intelligence firm GreyNoise released a free tool earlier this year specifically designed to help track changes to KEV entries and surface these updates more reliably.
Recommended Actions
- Apply Microsoft’s April 14 patch for CVE-2026-33825 immediately if not already deployed.
- Review endpoint detection logs for signs of privilege escalation activity on systems running Microsoft Defender.
- Consider using available KEV tracking tools to receive timely alerts when catalog entries are updated with ransomware attribution.
The combination of a pre-patch public disclosure, confirmed zero-day exploitation, and now ransomware involvement makes CVE-2026-33825 a high-priority remediation target for enterprise security teams.
