The US Cybersecurity and Infrastructure Security Agency (CISA) says ransomware groups are now exploiting a Microsoft Defender privilege-escalation vulnerability known as BlueHammer. CISA reports that the flaw, previously used in zero-day attacks, is being leveraged by ransomware operators to gain elevated access on affected systems.
SecurityWeek identifies the issue as Microsoft Defender vulnerability CVE-2026-33825 and says it was already being exploited “in the wild” before patches were released. Together, the reports indicate that attackers are using the vulnerability as part of real-world intrusion activity, rather than it being limited to earlier proof-of-concept or isolated incidents.
Both sources frame the BlueHammer issue as a privilege escalation weakness in Microsoft Defender that has transitioned from earlier zero-day abuse to wider use by ransomware gangs. The reports also point to the timing of exploitation relative to patch availability, emphasizing that the vulnerability has been actively targeted prior to remediation.
