CISA confirmed on Monday that ransomware gangs have begun exploiting a high-severity Microsoft Defender privilege escalation vulnerability that has previously been abused in zero-day attacks.
Dubbed BlueHammer, the security flaw (CVE-2026-33825) was leaked by a security researcher known as "Nightmare Eclipse" in early April, together with proof-of-concept exploit code, in protest at how the Microsoft Security Response Center (MSRC) handles the disclosure process.
"Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally," Microsoft explains in a security advisory.
Will Dormann, principal vulnerability analyst at Tharros, told BleepingComputer in April that while the issue is not easy to exploit, it gives local attackers access to the Security Account Manager (SAM) database, which contains password hashes for local accounts.
With this access, they can escalate to SYSTEM privileges and potentially take complete control of the targeted system.






