A Microsoft Defender vulnerability, known as BlueHammer (CVE-2026-33825), is currently being exploited in ransomware attacks, as reported by CISA. This vulnerability was publicly disclosed on April 2, with Microsoft issuing patches on April 14. Despite acknowledgments of the flaw's increased exploitation likelihood, Microsoft has not confirmed in-the-wild attacks. Cybersecurity firm Huntress identified these exploits as a zero-day prior to the patch release.
CISA added BlueHammer to its Known Exploited Vulnerabilities catalog on April 22, marking its use in ransomware campaigns, although the specific attacking group remains unknown. CISA's notifications regarding exploitation status have faced scrutiny for their utility to defenders.