Skip to content

Ransomware Groups Exploit BlueHammer Vulnerability in Microsoft Defender for Privilege Escalation

Bottom line: Ransomware gangs exploit a vulnerability in Microsoft Defender to gain access to the SAM database through insufficient access controls and obtain SYSTEM privileges.

The US cybersecurity agency CISA confirmed that ransomware groups are actively exploiting vulnerability CVE-2026-33825 in Microsoft Defender to obtain system rights. The vulnerability was patched in April but is now being exploited in active campaigns.

The vulnerability known as BlueHammer, CVE-2026-33825, allows local attackers to escalate privileges through inadequate access controls in Microsoft Defender. A security analyst at Tharros explains that attackers can use this to gain access to the Security Account Manager (SAM) database, where password hashes of local accounts are stored. With these hashes, attackers can obtain SYSTEM rights and subsequently execute arbitrary commands with system privileges.

The security vulnerability was first disclosed in early April 2024 by a security researcher under the pseudonym Nightmare Eclipse — a move the researcher justified as protest against Microsoft’s vulnerability disclosure procedures. Microsoft patches the vulnerability on April 14, 2024. However, security researchers from Huntress Labs discovered shortly after the patch was released that attackers were already exploiting the vulnerability in live attacks before the fix was published. CISA added BlueHammer to its KEV catalogue on April 22 and set a remediation deadline of five days until May 7 for US federal agencies.

Nightmare Eclipse has published several Windows zero-day vulnerabilities in recent months, including RoguePlanet, RedSun, GreenPlasma, MiniPlasma, YellowKey and UnDefend — many of which affect Microsoft Defender, BitLocker or other Windows components. Of the eight vulnerabilities registered in Microsoft Defender that CISA has documented in attacks, two have been specifically targeted by ransomware gangs. For CISOs, this means a dual need for action: on the one hand, updates for Microsoft Defender should be deployed with the highest priority; on the other hand, control over local administrator accounts must be tightened, since their compromise through this vulnerability leads to system compromise.


Source: www.it-daily.net · Published July 1, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: