Skip to content
Tech News
← Back to articles

CISA orders feds to patch BlueHammer flaw exploited as zero-day

2026-04-23 | original
read original get Cybersecurity Patch Kit → more articles
Why This Matters

The CISA directive underscores the critical importance of timely patch management to defend against actively exploited vulnerabilities like BlueHammer, which pose significant risks to government and enterprise systems. The incident highlights the ongoing threat of zero-day exploits and the need for robust security practices to protect sensitive data and infrastructure.

Key Takeaways

CISA has given U.S. government agencies two weeks to secure their Windows systems against a Microsoft Defender privilege escalation vulnerability that has been exploited in zero-day attacks.

Tracked as CVE-2026-33825, this high-severity security flaw allows low-privileged local threat actors to gain SYSTEM permissions on unpatched devices by exploiting an insufficient granularity of access control weakness.

Microsoft patched the vulnerability on April 14 as part of this month's Patch Tuesday, one week after a security researcher using the "Chaotic Eclipse" handle dubbed it "BlueHammer" and published proof-of-concept exploit code in protest to how Microsoft's Security Response Center (MSRC) handled the disclosure process.

Chaotic Eclipse also disclosed a second Microsoft Defender privilege escalation flaw (dubbed RedSun) and a third flaw (known as UnDefend) that can be exploited as a standard user to block Defender definition updates.

At the time of the leak, all three vulnerabilities were considered zero-days by Microsoft's definition, since they had no official patches.

Additionally, as Huntress Labs security researchers revealed on April 16, attackers had also been exploiting these zero-days in attacks that showed evidence of "hands-on-keyboard threat actor activity."

"The activity also appeared to be part of a broader intrusion rather than isolated proof-of-concept (PoC) testing," the cybersecurity company said in a Monday report. "Huntress identified suspicious FortiGate SSL VPN access tied to the compromised environment, including a source IP geolocated to Russia, with additional suspicious infrastructure observed in other regions."

CISA has now added the BlueHammer vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on Monday, ordering Federal Civilian Executive Branch (FCEB) agencies to patch their Windows systems against ongoing CVE-2026-33825 attacks within two weeks, until May 7.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned.

"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."

... continue reading

Explore topics: cisa bluehammer microsoft defender patch tuesday huntress labs
Related:
Trump’s pick to run US cyber agency CISA asks to drop out
Anthropic’s Mythos rollout has missed America’s cyberscurity agency
Anthropic’s Mythos rollout has missed America’s cybersecurity agency
Over 1,300 Microsoft SharePoint servers vulnerable to spoofing attacks
Exploits Turn Windows Defender into Attacker Tool

© 2026 GoKawiil

About | Editorial Policy | Contact