CISA confirmed on June 30, 2026 that ransomware operators are actively incorporating CVE-2026-33825 into their post-exploitation chains, marking a significant escalation for a vulnerability that Microsoft patched more than two months ago.

CVE-2026-33825, known publicly as BlueHammer, is a local privilege escalation flaw in the Microsoft Defender Antimalware Platform. According to NIST NVD, the vulnerability stems from insufficient granularity of access control in Defender, enabling any locally authenticated attacker to escalate to SYSTEM-level privileges. In practice, this grants read access to the Security Account Manager (SAM) database, which stores password hashes for local Windows accounts. SAM access enables pass-the-hash lateral movement and full account takeover across the local network, providing a reliable path from initial foothold to broad domain compromise. NIST assigned CVE-2026-33825 a CVSS 3.1 score of 7.8 (High), affecting Microsoft Defender Antimalware Platform versions prior to 4.18.26030.3011.

Microsoft patched the vulnerability in the April 14, 2026 Patch Tuesday update. CISA added BlueHammer to the Known Exploited Vulnerabilities catalog on April 22, 2026, following confirmation of early zero-day exploitation by Huntress Labs in late April, with a federal mandatory remediation deadline of May 6, 2026 for civilian agencies.

Today’s confirmation that ransomware groups have now adopted BlueHammer reflects a predictable escalation pattern: proof-of-concept code was publicly leaked in early April 2026, and the interval between initial targeted exploitation and industrialized ransomware adoption typically spans six to ten weeks. Organizations that applied exceptions or deferrals to the April 2026 Patch Tuesday cycle should now treat those endpoints as actively at risk of privilege escalation and lateral movement.

Security teams should verify that Microsoft Defender Antimalware Platform version 4.18.26030.3011 or later is deployed across all managed Windows endpoints. For environments using configuration management platforms, confirm that policy enforcement is reaching all devices, including those that may have missed the April update window due to patching exceptions, offline status, or deferred deployment rings.

CISA’s continued active exploitation confirmations for endpoint security flaws follow the agency’s escalating posture under BOD 26-04, which CyberTech previously covered in reporting on CISA’s three-day patch mandate for federal agencies.

Source: Microsoft Security Response Center: CVE-2026-33825