Skip to content

Ransomware Groups Exploiting BlueHammer Vulnerability in Microsoft Defender

In brief: Ransomware extortionists are exploiting insufficient access controls in Microsoft Defender (CVE-2026-33825) to obtain SYSTEM privileges and fully compromise systems.

The US cybersecurity agency CISA has confirmed that ransomware groups are actively exploiting the vulnerability CVE-2026-33825 in Microsoft Defender to escalate privileges. The vulnerability, known as BlueHammer, enables attackers to access the SAM database and thereby obtain SYSTEM rights.

On Monday, CISA updated its Known Exploited Vulnerabilities (KEV) catalog and documented the active exploitation of the BlueHammer vulnerability (CVE-2026-33825) by ransomware campaigns. The security vulnerability was already added to the catalog on 22 April and triggered a deadline of 7 May for federal agencies.

Insufficient granularity of access controls in Microsoft Defender allows authorized attackers to escalate their privileges locally. According to Will Dormann, security analyst at Tharros, exploitation of the vulnerability grants local attackers access to the Security Account Manager database (SAM), which stores password hashes of local accounts. With this access, attackers can obtain SYSTEM rights and exercise significant control over the compromised system.

Security researcher using the pseudonym Nightmare Eclipse released exploit code for BlueHammer in early April as a protest against Microsoft’s vulnerability disclosure procedures. Microsoft patched the vulnerability on 14 April in the regular Patch Tuesday. Shortly thereafter, researchers from Huntress Labs discovered that attackers were already exploiting the vulnerability as a zero-day in active attacks prior to the patch.

Nightmare Eclipse has disclosed several additional Windows zero-days in recent months, including RoguePlanet, RedSun, GreenPlasma, MiniPlasma, YellowKey and UnDefend. Some of these vulnerabilities have since been closed in the June Patch Tuesday. CISA lists a total of eight vulnerabilities in Microsoft Defender that have been exploited in active attacks, two of them specifically by ransomware gangs.


Source: www.it-daily.net · Published 1 July 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.2.

Share on: