CISA orders feds to patch BlueHammer flaw exploited as zero-day
Source: Bleeping Computer
Overview
CISA has given U.S. government agencies two weeks to secure their Windows systems against a Microsoft Defender privilege‑escalation vulnerability that has been exploited in zero‑day attacks.
Vulnerability Details
- Identifier: CVE‑2026‑33825
- Severity: High
- Impact: Allows low‑privileged local threat actors to gain SYSTEM permissions on unpatched devices by exploiting an insufficient granularity of access‑control weakness.
The flaw was publicly dubbed “BlueHammer” by security researcher Chaotic Eclipse, who released a proof‑of‑concept exploit in protest of Microsoft’s disclosure process.
Related Flaws Disclosed by Chaotic Eclipse
- RedSun: A second Microsoft Defender privilege‑escalation flaw.
Read more - UnDefend: A third flaw that can be exploited by a standard user to block Defender definition updates.
GitHub repository
At the time of the leak, all three vulnerabilities were considered zero‑days by Microsoft’s definition, as they had no official patches.
Exploitation in the Wild
Huntress Labs reported on April 16 that attackers had been exploiting these zero‑days in active campaigns, showing evidence of “hands‑on‑keyboard” threat‑actor activity. The report noted:
- Suspicious FortiGate SSL VPN access tied to compromised environments, with source IPs geolocated to Russia.
- Additional suspicious infrastructure observed in other regions.
Patch Release
Microsoft released a patch for CVE‑2026‑33825 on April 14 as part of the month’s Patch Tuesday.
Microsoft’s patch announcement
CISA Action
CISA added the BlueHammer vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on April 22. Federal Civilian Executive Branch (FCEB) agencies are required to apply the patch by May 7 (within two weeks).
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned.
“Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
Related Recent Vulnerability
Earlier, CISA warned about a Windows Task Host privilege‑escalation vulnerability:
- CVE‑2025‑60710 – Grants attackers SYSTEM privileges on unpatched Windows 11 and Windows Server 2025 devices.
Details | CISA alert