top of page
perceptive_background_267k.jpg

CISA orders feds to patch BlueHammer flaw exploited as zero-day

Published:

23 April 2026 at 11:05:57

Alert date:

23 April 2026 at 12:01:20

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Operating Systems, Zero-Day Vulnerabilities, Security Tools

CISA has ordered U.S. federal agencies to patch a Microsoft Defender privilege escalation vulnerability known as BlueHammer that has been actively exploited in zero-day attacks. The flaw allows attackers to escalate privileges on affected systems. Federal agencies must apply patches to address this critical security vulnerability that poses significant risk to government systems.

Technical details

CVE-2026-33825 is a high-severity Microsoft Defender privilege escalation vulnerability that allows low-privileged local threat actors to gain SYSTEM permissions on unpatched devices by exploiting an insufficient granularity of access control weakness. The vulnerability was dubbed 'BlueHammer' by security researcher 'Chaotic Eclipse' who published proof-of-concept exploit code. Two additional related vulnerabilities were disclosed: RedSun (another privilege escalation flaw) and UnDefend (blocks Defender definition updates). Attacks showed evidence of hands-on-keyboard threat actor activity with suspicious FortiGate SSL VPN access from Russian IP addresses.

Mitigation steps:

Federal Civilian Executive Branch (FCEB) agencies must patch their Windows systems against CVE-2026-33825 attacks within two weeks (until May 7). Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Microsoft patched the vulnerability on April 14 as part of Patch Tuesday.

Affected products:

Microsoft Defender
Windows systems
Windows 11
Windows Server 2025

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-33825
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/
https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/
https://www.bleepingcomputer.com/news/microsoft/new-microsoft-defender-redsun-zero-day-poc-grants-system-privileges/
https://github.com/Nightmare-Eclipse/UnDefend
https://learn.microsoft.com/en-us/defender-vulnerability-management/tvm-zero-day-vulnerabilities?tabs=preview-customers%2Cpreview-customers-vulnerabilities
https://www.bleepingcomputer.com/news/security/recently-leaked-windows-zero-days-now-exploited-in-attacks/
https://www.cisa.gov/news-events/alerts/2026/04/22/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2026-33825
https://www.bleepingcomputer.com/news/security/cisa-flags-windows-task-host-vulnerability-as-exploited-in-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-60710

Related CVE's:

Related threat actors:

IOC's:

Suspicious FortiGate SSL VPN access, Source IP geolocated to Russia

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page