Find notable cyber news and cases, enriched with sources, timelines, and signals.

CISA KEV order for BlueHammer patching

Public Sector Action
First reported
Last updated
Happening score
H score 37
1 unique sources, 2 articles

Summary

Hide ▲

CISA ordered Federal Civilian Executive Branch agencies to patch Windows systems against CVE-2026-33825 within two weeks after adding BlueHammer to the Known Exploited Vulnerabilities (KEV) Catalog. The flaw affects Microsoft Defender and can let a low-privileged local attacker escalate to SYSTEM on unpatched devices. The directive landed while the issue was already tied to zero-day attacks and later flagged as exploited in ransomware campaigns.

Related Happenings

Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave

Exploitation Wave
H score41 First: 30.06.2026 11:53 Last: 30.06.2026 11:53 Sources 1

How related: CISA has now also flagged it as exploited in ransomware campaigns in a Monday update to its KEV Catalog.

About this happening: CISA has flagged **BlueHammer (CVE-2026-33825)** as exploited in **ransomware campaigns**, expanding the risk to **Windows devices** exposed to privilege escalation. The flaw in *...

Microsoft releases RoguePlanet Defender security update for CVE-2026-50656

Security Patch Release
H score32 First: 17.06.2026 20:36 Last: 17.06.2026 20:36 Sources 1

About this happening: **Microsoft** has released a **security update** for **CVE-2026-50656**, remediating **RoguePlanet** in the **Microsoft Malware Protection Engine (mpengine.dll)**. The flaw is a *...

Latest development: 09.07.2026 11:48

Microsoft released security updates for CVE-2026-50656, remediating the RoguePlanet privilege-escalation flaw in Microsoft Malware Protection Engine (mpengine.dll) with version 1.1.26060.3008 and additional defense-in-depth updates. Microsoft said no customer action is required to install the update.

Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)

Vulnerability
H score32 First: 17.06.2026 11:32 Last: 17.06.2026 11:32 Sources 1

About this happening: **Microsoft** has released a security update for **CVE-2026-50656** after public disclosure of **RoguePlanet**, a **privilege-escalation** flaw in the **Microsoft Malware Protecti...

Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw

Vulnerability
H score39 First: 10.06.2026 02:11 Last: 10.06.2026 02:11 Sources 1

About this happening: Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...

Latest development: 10.06.2026 08:22

The anonymous security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, released a proof-of-concept (PoC) exploit for the Microsoft Defender zero-day RoguePlanet under a new GitHub account named MSNightmare. The race-condition exploit can yield a SYSTEM-level shell and arbitrary code execution when it succeeds, has been tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed, and currently does not work on Windows Server without redesign because standard users cannot mount an ISO image.

CERT-In issues 12-hour patch guidance for Indian organizations

Public Sector Action
H score38 First: 26.05.2026 13:30 Last: 26.05.2026 13:30 Sources 1

About this happening: **CERT-In** published new guidance on **May 25** urging Indian organizations to patch **actively exploited internet-facing vulnerabilities** within **12 hours**, tightening respon...

Timeline

  1. 23.04.2026 14:05 1 articles · 2mo ago

    Microsoft patches BlueHammer in Patch Tuesday updates

    Mitigation Patch Update

    Microsoft patched CVE-2026-33825, dubbed BlueHammer, on April 14 as part of Patch Tuesday after a security researcher using the Chaotic Eclipse handle published proof-of-concept exploit code. The flaw in Microsoft Defender lets low-privileged local attackers gain SYSTEM permissions on unpatched Windows devices through an insufficient granularity of access control weakness.

    Show sources
  2. 23.04.2026 14:05 1 articles · 2mo ago

    Huntress observes active BlueHammer exploitation

    Exploitation Observed

    Huntress Labs said on April 16 that attackers had been exploiting these zero-days in attacks showing hands-on-keyboard threat actor activity. The compromised environment also showed suspicious FortiGate SSL VPN access, including a source IP geolocated to Russia and additional suspicious infrastructure in other regions.

    Show sources
  3. 23.04.2026 14:05 3 articles · 2mo ago

    CISA adds BlueHammer to KEV and orders federal patching

    Legal Policy Action Update

    CISA added BlueHammer, CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch agencies to patch affected Windows systems within two weeks, until May 7. CISA warned that the vulnerability is a frequent attack vector for malicious cyber actors and advised agencies to apply vendor mitigations or discontinue use of the product if mitigations are unavailable.

    Show sources