CISA orders feds to patch BlueHammer flaw exploited as zero-day

Summary

CISA has mandated U.S. federal agencies patch CVE-2026-33825 (BlueHammer), a Microsoft Defender privilege escalation flaw actively exploited in zero-day attacks, within two weeks by May 7. The vulnerability was disclosed by security researcher "Chaotic Eclipse" on April 14 after Microsoft patched it, along with two additional related flaws (RedSun and UnDefend). Attackers have been observed exploiting these vulnerabilities in hands-on-keyboard intrusions, with evidence linking attack infrastructure to Russia.

Full text

CISA orders feds to patch BlueHammer flaw exploited as zero-day By Sergiu Gatlan April 23, 2026 07:05 AM 0 CISA has given U.S. government agencies two weeks to secure their Windows systems against a Microsoft Defender privilege escalation vulnerability that has been exploited in zero-day attacks. Tracked as CVE-2026-33825, this high-severity security flaw allows low-privileged local threat actors to gain SYSTEM permissions on unpatched devices by exploiting an insufficient granularity of access control weakness. Microsoft patched the vulnerability on April 14 as part of this month's Patch Tuesday, one week after a security researcher using the "Chaotic Eclipse" handle dubbed it "BlueHammer" and published proof-of-concept exploit code in protest to how Microsoft's Security Response Center (MSRC) handled the disclosure process. Chaotic Eclipse also disclosed a second Microsoft Defender privilege escalation flaw (dubbed RedSun) and a third flaw (known as UnDefend) that can be exploited as a standard user to block Defender definition updates. At the time of the leak, all three vulnerabilities were considered zero-days by Microsoft's definition, since they had no official patches. Additionally, as Huntress Labs security researchers revealed on April 16, attackers had also been exploiting these zero-days in attacks that showed evidence of "hands-on-keyboard threat actor activity." "The activity also appeared to be part of a broader intrusion rather than isolated proof-of-concept (PoC) testing," the cybersecurity company said in a Monday report. "Huntress identified suspicious FortiGate SSL VPN access tied to the compromised environment, including a source IP geolocated to Russia, with additional suspicious infrastructure observed in other regions." CISA has now added the BlueHammer vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on Monday, ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Windows systems against ongoing CVE-2026-33825 attacks within two weeks, until May 7. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." One week ago, CISA also warned that a Windows Task Host privilege-escalation vulnerability (CVE-2025-60710) that grants attackers SYSTEM privileges on unpatched Windows 11 and Windows Server 2025 devices is also now actively exploited in the wild. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Recently leaked Windows zero-days now exploited in attacksCISA flags Windows Task Host vulnerability as exploited in attacksCISA orders feds to patch exploited Fortinet EMS flaw by FridayDisgruntled researcher leaks “BlueHammer” Windows zero-day exploitMicrosoft releases emergency patches for critical ASP.NET flaw

Indicators of Compromise

• cve — CVE-2026-33825
• cve — CVE-2026-33826
• cve — CVE-2026-33827
• cve — CVE-2025-60710

Entities