CISA Warns: Windows BlueHammer Vulnerability Exploited by Ransomware Gangs

Post Views: 12

CISA confirmed Monday that cybercriminals have started leveraging a critical Microsoft Defender security flaw for ransomware operations.

CISA Confirms Ransomware Groups Exploit Microsoft Defender Flaw

The vulnerability, designated CVE-2026-33825, was initially disclosed in early April by an independent researcher operating under the alias “Nightmare Eclipse.” The flaw enables unauthorized users to escalate privileges within affected systems, according to technical analyses.

Vulnerability Details and Technical Analysis

Microsoft’s security advisory describes the issue as stemming from “insufficient granularity of access control” within Defender, allowing attackers with local system access to manipulate the Security Account Manager (SAM) database. This component stores password hashes for local user accounts, providing a pathway for adversaries to gain SYSTEM-level privileges.

Will Dormann, a senior vulnerability analyst at Tharros, highlighted in April that while the exploit requires specific conditions to execute, its potential impact is severe. Attackers could use the flaw to create a shell with elevated permissions, effectively granting full control over compromised devices.

Microsoft’s Response and Patching Efforts

A proof-of-concept demonstration of the vulnerability was shared by Dormann during the same period. Microsoft addressed the issue on April 14 through its monthly Patch Tuesday updates. However, Huntress Labs researchers identified evidence of active exploitation within days, noting “hands-on-keyboard threat actor activity” in affected environments.

Nightmare Eclipse’s Previous Disclosures

This suggests attackers are using the flaw as a zero-day vulnerability in targeted campaigns. Nightmare Eclipse has previously disclosed multiple Windows-related zero-day exploits, including flaws affecting Microsoft Defender, BitLocker, and core operating system components. Recent disclosures include vulnerabilities named RoguePlanet, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend.

CISA’s Inclusion in KEV Catalog

Some of these flaws directly impact Defender’s security mechanisms, while others target encryption and system management features. Microsoft resolved the GreenPlasma, MiniPlasma, and YellowKey vulnerabilities in June 2026 through its Patch Tuesday updates. CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities (KEV) catalog on April 22, mandating federal agencies to apply patches by May 7.

Conclusion

The agency emphasized the flaw’s potential to serve as a primary entry point for malicious actors, posing substantial risks to government infrastructure. Although Microsoft has not officially classified the vulnerability as actively exploited, CISA updated its KEV catalog on Monday to reflect its use in ransomware operations. This marks the eighth Microsoft Defender-related flaw flagged by CISA in recent years, with two of those previously linked to ransomware attacks.