Back to advisories

BlueHammer Vulnerability Exploited in Ransomware Attacks

CVE-2026-33825 (BlueHammer) in Microsoft Defender is being actively exploited in ransomware campaigns in the wild. This zero-day was publicly disclosed before patches became available on April 14, and CISA has confirmed active abuse. All Windows environments running vulnerable Defender versions are at immediate risk of compromise leading to ransomware deployment.

CRITICALAdvisoryJun 30, 2026
Action required
Immediately patch Microsoft Defender to the latest version released April 14 or later. Hunt for Defender process anomalies, suspicious parent-child relationships, and unsigned executables spawned from Defender components. Check for evidence of exploitation in Windows Defender logs and ETW traces from the zero-day window.
Affected products
Microsoft DefenderMicrosoftCISAHuntress