Particle.news
Download on the App Store

CISA Says BlueHammer Flaw Is Now Used in Ransomware Campaigns

The agency's update raises urgency because the exploit can grant attackers SYSTEM-level control of unpatched Windows devices.

Overview

  • CISA updated its Known Exploited Vulnerabilities catalog on Tuesday to state that CVE-2026-33825, nicknamed BlueHammer, has been leveraged in ransomware campaigns.
  • Microsoft patched the BlueHammer privilege-escalation bug in Microsoft Defender on April 14 with fixes that prevent an authenticated local attacker from elevating to SYSTEM.
  • Proof-of-concept exploit code was publicly leaked in early April by a researcher known as Nightmare Eclipse and security firm Huntress reported hands-on-keyboard zero-day use before Microsoft issued its patch.
  • Many devices remain at risk because real-world patch deployment lags far behind patch release, leaving attackers time to weaponize published exploit code.
  • There is no public attribution to a specific ransomware group yet and the discloser has signaled more controversial releases in July, which could drive further attack activity.