CybersecurityVulnerability Management

CISA Mandates Patching of Exploited BlueHammer Flaw in Federal Systems

Analyst 207||Source: BleepingComputer
Brightly-lit federal IT operations room with Windows-based computer systems.
"CISA warned: 'This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.'"

CVE-2026-33825 (BlueHammer) and Microsoft's April 14 patch

CVE-2026-33825 is a high-severity privilege-escalation flaw in Microsoft Defender that lets a low-privileged local actor gain SYSTEM permissions on unpatched Windows devices by exploiting an insufficient granularity of access control weakness. Microsoft released a patch for the vulnerability on April 14 as part of Patch Tuesday.

The vulnerability was publicly dubbed "BlueHammer" by a security researcher using the "Chaotic Eclipse" handle, who published proof-of-concept exploit code and said the disclosure was intended as a protest of how Microsoft's Security Response Center (MSRC) handled the disclosure process. At the time the researcher released the exploit code, BlueHammer and two other Microsoft Defender vulnerabilities were considered zero-days under Microsoft's definition because no official patches yet existed.

CISA adds BlueHammer to the KEV Catalog and orders remediation by May 7

The Cybersecurity and Infrastructure Security Agency (CISA) added BlueHammer (CVE-2026-33825) to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to secure Windows systems against ongoing attacks within two weeks — until May 7.

CISA's guidance was explicit: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." The agency framed the step as urgent because the vulnerability represents a frequent attack vector that poses significant risks to the federal enterprise.

Huntress Labs: active exploitation and hands-on-keyboard intrusions

Security researchers at Huntress Labs reported on April 16 that attackers were exploiting the disclosed zero-days in real-world intrusions. Huntress said the activity showed evidence of "hands-on-keyboard threat actor activity" and appeared to be part of a broader intrusion rather than isolated proof-of-concept testing.

Huntress identified suspicious FortiGate SSL VPN access tied to the compromised environment, including a source IP geolocated to Russia, and noted additional suspicious infrastructure observed in other regions.

Related flaws disclosed by Chaotic Eclipse: RedSun and UnDefend; a separate exploited Task Host bug

Chaotic Eclipse also disclosed a second Microsoft Defender privilege-escalation flaw dubbed "RedSun" and a third issue called "UnDefend," which can be exploited as a standard user to block Defender definition updates. Like BlueHammer, those disclosures were treated as zero-days at the time of the leak because there were no official patches.

Separately, CISA had already warned a week earlier that a Windows Task Host privilege-escalation vulnerability (CVE-2025-60710) — which grants SYSTEM privileges on unpatched Windows 11 and Windows Server 2025 devices — was actively exploited in the wild. That advisory underscores that BlueHammer is part of a string of privilege-escalation flaws drawing active exploitation attention.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: The immediate task is to apply Microsoft's April 14 patch for CVE-2026-33825 and follow vendor mitigations. Huntress' findings highlight the need to monitor for signs of hands-on-keyboard intrusions and suspicious FortiGate SSL VPN access tied to compromised environments.
  • Policymakers and federal IT leaders: CISA's KEV listing imposes a two-week remediation window for FCEB agencies, with a hard date of May 7. Agencies must follow the agency's directive to apply vendor mitigations, use BOD 22-01 guidance for cloud services where applicable, or discontinue use if mitigations are unavailable.
  • Enterprises and procurement leaders: The combination of disclosed exploit code and observed exploitation means organizations outside the federal enterprise should treat the Microsoft Defender issues seriously: prioritize patches or mitigations, verify Defender update integrity given the UnDefend disclosure, and evaluate cloud-service guidance where relevant.

The clock set by CISA gives federal agencies a concrete deadline: remediate CVE-2026-33825 by May 7. With exploit code in circulation, public proof-of-concept disclosure, and Huntress reporting hands-on-keyboard intrusions that include suspicious FortiGate SSL VPN access and geolocated infrastructure, the advisory places patching and vendor-directed mitigations at the front line of defense.

Source: BleepingComputer — CISA orders feds to patch Microsoft Defender flaw exploited in zero-day attacks

CisaEmerging ThreatsPatch TuesdayPrivilege EscalationVulnerability ManagementZero-DayBluehammerMicrosoft DefenderCVE-2026-33825Federal Systems
Related Intelligence

Continue Reading

Developer workstation with laptop, terminal, and papers on a clean desk.

Amazon AI Coding Tool Exposes Cloud Credentials to Malicious Git Repos

A security vulnerability in Amazon's AI coding assistant, tracked as CVE-2026-12957, allowed malicious Git repositories to access sensitive cloud credentials, raising concerns about informed consent and user security. The flaw enabled automatic execution of commands with no user prompt required.

Analyst 207
Rows of computer servers and networking equipment in a brightly-lit, open office space or server room.

AI Agents Expose Governance Gap in Enterprise Identity Infrastructure

Traditional enterprise identity systems are struggling to keep up with the dynamic nature of AI agents, which can autonomously execute complex tasks, chain calls across multiple systems, and continuously act on inherited credentials. This has exposed a significant governance gap in current identity infrastructure.

Analyst 207
Developer works on multi-monitor Linux workstation in university setting.

Linux Kernel Flaw Exposes Local Users to Root Privilege Escalation

A newly discovered Linux Kernel flaw, CVE-2026-43503, allows local users to easily escalate their privileges to root level, putting systems at risk. This vulnerability, dubbed DirtyClone, lets attackers corrupt file-backed memory and gain unrestricted access with just a few clever steps.

Analyst 207
Empty office setting with laptop, papers, and supplies on a desk under soft daylight.

MFA Rollout Exposes Invoicing Software Flaws

When implementing multi-factor authentication, even a well-planned rollout can hit snags, as seen in a recent case where an invoicing software flaw was exposed. A security expert and his team had agreed on a phased rollout plan with a customer to enable MFA across their Microsoft 365 tenancy.

Analyst 207