CISA has ordered U.S. federal agencies to patch a Microsoft Defender privilege-escalation zero-day (CVE-2026-33825) within two weeks after evidence of active exploitation. The flaw, dubbed “BlueHammer” after a researcher leak by Chaotic Eclipse, was disclosed alongside two other Defender issues and has been tied to hands-on-keyboard attacks and suspicious FortiGate VPN access. #BlueHammer #CVE202633825
Keypoints
- CISA directed Federal Civilian Executive Branch agencies to patch CVE-2026-33825 by May 7 due to active exploitation.
- BlueHammer is a Microsoft Defender privilege-escalation that lets low-privileged local actors obtain SYSTEM permissions via insufficient access control.
- Researcher “Chaotic Eclipse” publicly released proof-of-concept exploit code for BlueHammer and also disclosed related flaws RedSun and UnDefend prior to patching.
- Huntress Labs reported hands-on-keyboard attacker activity and linked suspicious FortiGate SSL VPN access to the compromised environments.
- CISA added BlueHammer to its Known Exploited Vulnerabilities Catalog and advised applying vendor mitigations, following BOD 22-01 guidance, or discontinuing use if mitigations are unavailable.