Particle.news
Download on the App Store
3 ARTICLES
·
2h ago

CISA Flags BlueHammer Flaw as Being Used in Ransomware Attacks

The agency’s update raises urgency because the bug grants SYSTEM-level access and patches have been available since mid-April.

Overview

  • The BlueHammer vulnerability (CVE-2026-33825) and proof-of-concept code were publicly leaked in early April by a researcher known as Nightmare Eclipse, which increased immediate exposure to attackers.
  • Microsoft released a patch for BlueHammer on April 14 and described the bug as an elevation-of-privilege flaw in Microsoft Defender that requires local or authenticated access to exploit.
  • Security researchers have shown that a successful exploit can read the Security Account Manager (SAM) database and escalate to SYSTEM, giving attackers full control of affected Windows endpoints.
  • Security firm Huntress reported hands-on-keyboard exploitation of BlueHammer before the April patch, and CISA has now updated its Known Exploited Vulnerabilities catalog to say ransomware gangs are using the flaw.
  • Microsoft has not publicly confirmed specific ransomware attributions, so defenders must act on CISA’s warning by applying the patch, auditing local accounts, and monitoring for suspicious SYSTEM-level activity.