Skip to content
feed: live about
>_ 0dayNews
kev
● Breaking

CISA confirms BlueHammer Defender LPE is being used in ransomware attacks

CVE-2026-33825, the Microsoft Defender local privilege escalation disclosed as a zero-day by 'Chaotic Eclipse' in April, is confirmed weaponized in ransomware. Patched. Ransomware family unnamed.

airgap · Published · 3 min read

Confirmed. Ransomware family unnamed. The U.S. Cybersecurity and Infrastructure Security Agency has confirmed that CVE-2026-33825 — the Microsoft Defender local privilege escalation known as BlueHammer — was weaponized in ransomware attacks, per The Hacker News’ July 2 ThreatsDay digest. Microsoft shipped the fix on April 2026 Patch Tuesday. CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-04-22, with a federal mitigation deadline of 2026-05-06. Both dates are already behind us. Read the CISA update as a status change — from “exploited” to “exploited by ransomware” — not a new vuln.

Timeline

  • 2026-04-10 — Huntress observes BlueHammer exploitation in the wild. Confirmed at time of Huntress’ April warning, per The Hacker News.
  • 2026-04-14 — Microsoft patches BlueHammer as CVE-2026-33825 in Patch Tuesday. Two sibling flaws — RedSun (LPE) and UnDefend (definition-update DoS) — remain unpatched at that time, per the same reporting.
  • 2026-04-22 — CISA adds CVE-2026-33825 to the KEV catalog. Federal civilian agencies given until 2026-05-06 to remediate.
  • 2026-07-02 — CISA confirms ransomware use. Which family, The Hacker News says, is unclear.

What it is

CVE-2026-33825 is an insufficient-access-control granularity flaw in Microsoft Defender Antimalware Platform builds 4.0.0.0 through builds before 4.18.26030.3011. An authorized local user can elevate to a higher-privilege context. CVSS 7.8, HIGH per NVD. Local, not remote — the attacker needs a foothold first. Ransomware crews get that foothold with phishing, stolen creds, or a prior vuln in something internet-facing. BlueHammer is the second stage.

The flaw was disclosed as a zero-day by a researcher going by Chaotic Eclipse (aka Nightmare-Eclipse), part of a set of three protest-disclosures aimed at Microsoft’s handling of the coordination process. Two of the three — RedSun and UnDefend — did not have fixes at the time of Huntress’ April warning. Unconfirmed as to whether they do now; treat accordingly and check MSRC directly for current status before assuming.

What to actually do

  • Confirm you’re on Defender Antimalware Platform 4.18.26030.3011 or later on every endpoint. Microsoft ships the definition/platform update automatically for most tenants — automatic doesn’t mean universal. Check.
  • Assume any endpoint that ran a pre-April-14 platform build for any window is potentially in-scope, especially if it also had exposure to phishing, credential theft, or an internet-facing vuln during that window. LPE is a second stage — pair it with your initial-access telemetry.
  • Watch for RedSun and UnDefend patch status. BlueHammer got fixed first because researchers went public. The other two were still open at April writeup — if MSRC has since shipped patches, you want them.
  • KEV deadline has passed for federal agencies. If you’re a fed civilian and 33825 is not remediated on an inventoried asset, that is a BOD 22-01 issue, not a hypothetical.

The through-line here is boring and predictable. Ransomware affiliates read KEV like a shopping list. LPE bugs in security tooling — Defender, edge appliances, VPN clients — go into the catalog because they’re what post-access tradecraft actually leans on. Same pattern as the Anubis affiliates working Citrix Bleed 2 and the JadePuffer campaign chaining Langflow into ransomware. Nothing here is new tradecraft. That is the point.

Watching for

  • CISA or Microsoft naming the ransomware family. Unconfirmed as of writing.
  • MSRC advisories closing RedSun and UnDefend. Unconfirmed current status; check MSRC directly.
  • A KEV update reflecting ransomware-associated exploitation on the entry itself. Same operational bar for federal agencies; different urgency signal for everyone else.

Sourcing

Found this useful? Share it.