Back to Feed
Zero-dayJun 30, 2026

BlueHammer Vulnerability Exploited in Ransomware Attacks

Microsoft Defender vulnerability CVE-2026-33825 (BlueHammer) exploited in ransomware attacks.

Summary

The Microsoft Defender vulnerability CVE-2026-33825, dubbed BlueHammer, was exploited in the wild as a zero-day before Microsoft released patches on April 14. CISA added the flaw to its Known Exploited Vulnerabilities catalog and has now confirmed it's being leveraged in ransomware campaigns, though the specific ransomware group remains unknown. The vulnerability was publicly disclosed by researcher Chaotic Eclipse (also known as Nightmare Eclipse) due to dissatisfaction with Microsoft's vulnerability handling process.

Full text

A Microsoft Defender vulnerability tracked as BlueHammer and CVE-2026-33825 is being exploited in ransomware attacks, according to the cybersecurity agency CISA. BlueHammer is one of the several exploits disclosed in recent months by a disgruntled researcher known as Chaotic Eclipse and Nightmare Eclipse. The researcher is unhappy with Microsoft’s handling of vulnerability reports, which is why several exploits were made public before the tech giant had a chance to release fixes. CVE-2026-33825 was publicly disclosed on April 2 and Microsoft released patches on April 14, when it informed customers that an authenticated attacker can exploit the security hole for privilege escalation. While Microsoft’s advisory — last updated on April 30 — admits that exploitation of the flaw is ‘more likely’, it still does not confirm in-the-wild exploitation. Cybersecurity firm Huntress saw the vulnerability being exploited in attacks as a zero-day before Microsoft released patches. CISA added BlueHammer to its Known Exploited Vulnerabilities (KEV) catalog on April 22 and the agency has now updated the entry to specify that the weakness has been leveraged in ransomware campaigns. Advertisement. Scroll to continue reading. It’s unclear which ransomware group has exploited CVE-2026-33825; there do not appear to be any recent reports describing its exploitation. CISA does not notify users when a vulnerability included in its KEV list starts being exploited by ransomware groups, which has raised questions regarding the practical utility of these updates for defenders. Threat intelligence firm GreyNoise released a free tool earlier this year to help track these KEV updates. Related: Critical SimpleHelp Vulnerability Exploited for Malware Delivery Related: Critical Ubiquiti Vulnerabilities in Attackers’ Crosshairs Related: Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs New Controller Flaws Expose Highway Signs and Billboards to Remote HackingWhatsApp Rolling Out Username Feature to Bolster Phone Number PrivacyInsurance Regulators Group NAIC Hit in Oracle PeopleSoft HackOpenAI Unveils GPT-5.6 Sol as Its Most Advanced Cybersecurity AIAmazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories$3 Million Reportedly Stolen in Polymarket HackFirst-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildCal Water Says No OT Systems Breached in Iranian Handala Cyberattack Latest News Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain AttacksAflac Japan Data Breach Impacts 4.38 MillionHacker Conversations: Chris Thompson, Former Head of IBM X-Force Red, Co-Founder of RemoteThreatSupreme Court Rules Constitutional Privacy Protections Apply to Cellphone Users’ Location HistoryExploitation of Recent Oracle E-Business Suite Vulnerability BeginsThe AI Token Costs That Can Break CybersecurityNissan Employee Data Breached in Oracle PeopleSoft HackCritical SimpleHelp Vulnerability Exploited for Malware Delivery Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveTracey Mustacchio has joined Everfox as Chief Marketing Officer.Mark Carter has been appointed Chief Information Security Officer at Socure.Spektrum Labs has named Mark Cravotta Chief Operating Officer.More People On The MoveExpert Insights The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

  • cve — CVE-2026-33825

Entities

Microsoft Defender (product)Microsoft (vendor)Chaotic Eclipse / Nightmare Eclipse (threat_actor)BlueHammer (campaign)CISA (vendor)Huntress (vendor)