A vulnerability in Microsoft Defender, identified as CVE-2026-33825 and nicknamed BlueHammer, is currently being exploited in ransomware attacks. This issue has been highlighted by the cybersecurity agency CISA. The vulnerability was initially disclosed by a researcher known as Chaotic Eclipse and Nightmare Eclipse, who released the information publicly due to dissatisfaction with Microsoft's response to vulnerability reports. The flaw was first made public on April 2, with Microsoft releasing patches on April 14. This allowed attackers to exploit the vulnerability as a zero-day before patches were available.
Microsoft's advisory has labeled the vulnerability as more likely to be exploited, though it has not confirmed active exploitation in the wild. However, cybersecurity firm Huntress detected its use in attacks prior to the patch release. On April 22, CISA added BlueHammer to its Known Exploited Vulnerabilities catalog, later updating it to reflect its use in ransomware operations.
Despite the confirmation of its usage in ransomware attacks, the specific ransomware groups exploiting this flaw have not been identified. This lack of clarity raises questions about the effectiveness of CISA's updates for those defending against these threats. To assist security teams, threat intelligence firm GreyNoise has developed a tool to track updates on these vulnerabilities.
Organizations need to prioritize patching systems affected by CVE-2026-33825 to protect against potential ransomware attacks leveraging this vulnerability.


