A zero‑day flaw in Microsoft Defender is being actively used to deploy ransomware, prompting urgent alerts from US authorities. Tracked as CVE‑2026‑33825 and dubbed BlueHammer, the vulnerability was added to the CISA Known Exploited Vulnerabilities list after researchers observed it in the wild.
CVE‑2026‑33825 carries a CVSS score of 7.8 and is classified as an elevation‑of‑privilege weakness in the Defender antimalware engine. Attackers can trigger the flaw by supplying a specially crafted file that causes the engine to execute arbitrary code with SYSTEM privileges. This level of access lets ransomware operators disable security features and encrypt files without hindrance.
Microsoft privately disclosed the issue on 2 April and released a patch on 14 April, yet Huntress Labs reported that it had detected exploitation as a zero‑day before the fix was available. The vulnerability became widely known as BlueHammer after the security week coverage linked it to ongoing ransomware campaigns.
CISA added BlueHammer to its KEV catalogue on 22 April, confirming that the flaw is being exploited in ransomware attacks although the specific threat actor remains unidentified. The agency’s note has sparked debate among defenders about the practical value of such alerts when no attribution is provided.
The Defender flaw arrives amid a broader surge of Windows zero‑days highlighted by DarkReading, which described vulnerabilities such as YellowKey, GreenPlasma and MiniPlasma that enable bypasses of BitLocker and privilege escalation to SYSTEM. These discoveries illustrate how attackers continue to find gaps in Microsoft’s platform despite regular patch cycles.
Defenders should apply the April 14 update for Microsoft Defender immediately and verify that cloud‑delivered protection is turned on. Reviewing exclusion lists, enabling attack surface reduction rules and monitoring Defender alert logs for signs of the malicious file patterns associated with BlueHammer will help detect any lingering abuse.