Find notable cyber news and cases, enriched with sources, timelines, and signals.

Windows BlueHammer local public exploit privilege-escalation flaw

Vulnerability
First reported
Last updated
Happening score
H score 47
1 unique sources, 3 articles

Summary

Hide ▲

BlueHammer (CVE-2026-33825) is a Microsoft Defender local privilege-escalation vulnerability that Microsoft patched on April 14 but that has since been abused in zero-day attacks and is now being exploited by ransomware gangs. The flaw can let a local attacker reach the SAM database, extract password hashes, escalate to SYSTEM privileges, and take over affected Windows systems. CISA added it to the Known Exploited Vulnerabilities (KEV) Catalog and has flagged it for active ransomware campaign abuse.

Cases

Related Happenings

Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave

Exploitation Wave
H score41 First: 30.06.2026 11:53 Last: 30.06.2026 11:53 Sources 1

How related: CISA has now also flagged it as exploited in ransomware campaigns in a Monday update to its KEV Catalog.

About this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...

Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)

Vulnerability
H score32 First: 17.06.2026 11:32 Last: 17.06.2026 11:32 Sources 1

About this happening: **Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...

GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning

Technical Analysis
H score23 First: 16.06.2026 17:17 Last: 16.06.2026 17:17 Sources 1

About this happening: **GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...

Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw

Vulnerability
H score39 First: 10.06.2026 02:11 Last: 10.06.2026 02:11 Sources 1

About this happening: Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...

Latest development: 10.06.2026 08:22

The anonymous security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, released a proof-of-concept (PoC) exploit for the Microsoft Defender zero-day RoguePlanet under a new GitHub account named MSNightmare. The race-condition exploit can yield a SYSTEM-level shell and arbitrary code execution when it succeeds, has been tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed, and currently does not work on Windows Server without redesign because standard users cannot mount an ISO image.

Windows cldflt.sys privilege escalation (CVE-2020-17103)

Vulnerability
H score28 First: 18.05.2026 01:30 Last: 18.05.2026 01:30 Sources 1

About this happening: A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...

Timeline

  1. 23.04.2026 14:05 2 articles · 2mo ago

    CISA orders U.S. agencies to patch BlueHammer

    Legal Policy Action Update

    CISA added CVE-2026-33825, known as BlueHammer, to the Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch agencies to patch Windows and Microsoft Defender systems within two weeks, with remediation due by May 7, after evidence that attackers were exploiting the flaw in zero-day attacks.

    Show sources
  2. 06.04.2026 22:19 1 articles · 3mo ago

    Chaotic Eclipse publishes BlueHammer exploit code

    Initial Disclosure

    A researcher using the alias Chaotic Eclipse published BlueHammer exploit code in a GitHub repository under the name Nightmare-Eclipse, making public an unpatched Windows privilege escalation flaw with no official Microsoft patch available at the time.

    Show sources
  3. 06.04.2026 22:19 1 articles · 3mo ago

    Analyst confirms BlueHammer privilege escalation impact

    Technical Analysis Update

    Security analyst Will Dormann confirmed that BlueHammer is a local privilege escalation in Windows that combines TOCTOU and path confusion, can expose the Security Account Manager (SAM) database with local-account password hashes, and may let a local attacker escalate to SYSTEM or elevated administrator privileges; testers also said it did not work reliably on Windows Server.

    Show sources