Overview
- CISA updated its Known Exploited Vulnerabilities catalog on Tuesday to state that CVE-2026-33825, nicknamed BlueHammer, has been leveraged in ransomware campaigns.
- Microsoft patched the BlueHammer privilege-escalation bug in Microsoft Defender on April 14 with fixes that prevent an authenticated local attacker from elevating to SYSTEM.
- Proof-of-concept exploit code was publicly leaked in early April by a researcher known as Nightmare Eclipse and security firm Huntress reported hands-on-keyboard zero-day use before Microsoft issued its patch.
- Many devices remain at risk because real-world patch deployment lags far behind patch release, leaving attackers time to weaponize published exploit code.
- There is no public attribution to a specific ransomware group yet and the discloser has signaled more controversial releases in July, which could drive further attack activity.