Windows Defender BlueHammer flaw now used by ransomware gangs for SYSTEM access
CISA has updated its Known Exploited Vulnerabilities catalog to warn that ransomware gangs are now exploiting BlueHammer, a Microsoft Defender privilege-escalation flaw. The bug (CVE-2026-33825) lets a local attacker who already has a foothold escalate to SYSTEM by abusing Defender's file-remediation logic, giving them access to password hashes and the control needed to disable defenses and prepare systems for encryption. It was leaked with proof-of-concept code by a researcher in early April as a protest over Microsoft's disclosure process, exploited as a zero-day, then patched on April 14. It cannot be used for remote compromise on its own, but it strengthens attackers after initial access.
- Check
- Confirm the April 2026 Microsoft Defender update is applied across all Windows systems, and review endpoint logs for local privilege escalation, suspicious local-account access, and attempts to dump or read password hashes.
- Affected
- Windows systems missing the April 2026 Defender patch (CVE-2026-33825); after gaining initial access, attackers use the flaw to reach SYSTEM privileges, dump password hashes, and disable defenses ahead of ransomware.
- Fix
- Ensure the Microsoft Defender update is installed everywhere, prioritize systems exposed to phishing or stolen-credential access, and monitor for privilege-escalation behavior, since this flaw is now part of active ransomware playbooks.