Windows BlueHammer local public exploit privilege-escalation flaw
Vulnerability
Summary
Hide ▲
Show ▼
BlueHammer (CVE-2026-33825) is a Microsoft Defender local privilege-escalation vulnerability that Microsoft patched on April 14 but that has since been abused in zero-day attacks and is now being exploited by ransomware gangs. The flaw can let a local attacker reach the SAM database, extract password hashes, escalate to SYSTEM privileges, and take over affected Windows systems. CISA added it to the Known Exploited Vulnerabilities (KEV) Catalog and has flagged it for active ransomware campaign abuse.
Cases
Related Happenings
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation Wave
H score41
First: 30.06.2026 11:53
Last: 30.06.2026 11:53
Sources 1
How related:
CISA has now also flagged it as exploited in ransomware campaigns in a Monday update to its KEV Catalog.
About this happening:
CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation WaveHow related: CISA has now also flagged it as exploited in ransomware campaigns in a Monday update to its KEV Catalog.
About this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
Vulnerability
H score32
First: 17.06.2026 11:32
Last: 17.06.2026 11:32
Sources 1
About this happening:
**Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
VulnerabilityAbout this happening: **Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical Analysis
H score23
First: 16.06.2026 17:17
Last: 16.06.2026 17:17
Sources 1
About this happening:
**GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical AnalysisAbout this happening: **GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
Vulnerability
H score39
First: 10.06.2026 02:11
Last: 10.06.2026 02:11
Sources 1
About this happening:
Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
VulnerabilityAbout this happening: Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Latest development: 10.06.2026 08:22
The anonymous security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, released a proof-of-concept (PoC) exploit for the Microsoft Defender zero-day RoguePlanet under a new GitHub account named MSNightmare. The race-condition exploit can yield a SYSTEM-level shell and arbitrary code execution when it succeeds, has been tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed, and currently does not work on Windows Server without redesign because standard users cannot mount an ISO image.
Windows cldflt.sys privilege escalation (CVE-2020-17103)
Vulnerability
H score28
First: 18.05.2026 01:30
Last: 18.05.2026 01:30
Sources 1
About this happening:
A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...
Windows cldflt.sys privilege escalation (CVE-2020-17103)
VulnerabilityAbout this happening: A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...
Timeline
-
23.04.2026 14:05 2 articles · 2mo ago
CISA orders U.S. agencies to patch BlueHammer
Legal Policy Action UpdateCISA added CVE-2026-33825, known as BlueHammer, to the Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch agencies to patch Windows and Microsoft Defender systems within two weeks, with remediation due by May 7, after evidence that attackers were exploiting the flaw in zero-day attacks.
Show sources
- CISA orders feds to patch BlueHammer flaw exploited as zero-day — www.bleepingcomputer.com — 23.04.2026 14:05
- CISA: Windows BlueHammer flaw now exploited by ransomware gangs — www.bleepingcomputer.com — 30.06.2026 11:53
-
06.04.2026 22:19 1 articles · 3mo ago
Chaotic Eclipse publishes BlueHammer exploit code
Initial DisclosureA researcher using the alias Chaotic Eclipse published BlueHammer exploit code in a GitHub repository under the name Nightmare-Eclipse, making public an unpatched Windows privilege escalation flaw with no official Microsoft patch available at the time.
Show sources
- Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit — www.bleepingcomputer.com — 06.04.2026 22:19
-
06.04.2026 22:19 1 articles · 3mo ago
Analyst confirms BlueHammer privilege escalation impact
Technical Analysis UpdateSecurity analyst Will Dormann confirmed that BlueHammer is a local privilege escalation in Windows that combines TOCTOU and path confusion, can expose the Security Account Manager (SAM) database with local-account password hashes, and may let a local attacker escalate to SYSTEM or elevated administrator privileges; testers also said it did not work reliably on Windows Server.
Show sources
- Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit — www.bleepingcomputer.com — 06.04.2026 22:19