← All articles

Windows Defender BlueHammer flaw now used by ransomware gangs for SYSTEM access

CISA has updated its Known Exploited Vulnerabilities catalog to warn that ransomware gangs are now exploiting BlueHammer, a Microsoft Defender privilege-escalation flaw. The bug (CVE-2026-33825) lets a local attacker who already has a foothold escalate to SYSTEM by abusing Defender's file-remediation logic, giving them access to password hashes and the control needed to disable defenses and prepare systems for encryption. It was leaked with proof-of-concept code by a researcher in early April as a protest over Microsoft's disclosure process, exploited as a zero-day, then patched on April 14. It cannot be used for remote compromise on its own, but it strengthens attackers after initial access.

Check
Confirm the April 2026 Microsoft Defender update is applied across all Windows systems, and review endpoint logs for local privilege escalation, suspicious local-account access, and attempts to dump or read password hashes.
Affected
Windows systems missing the April 2026 Defender patch (CVE-2026-33825); after gaining initial access, attackers use the flaw to reach SYSTEM privileges, dump password hashes, and disable defenses ahead of ransomware.
Fix
Ensure the Microsoft Defender update is installed everywhere, prioritize systems exposed to phishing or stolen-credential access, and monitor for privilege-escalation behavior, since this flaw is now part of active ransomware playbooks.