Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
CISA has flagged BlueHammer (CVE-2026-33825) as exploited in ransomware campaigns, expanding the risk to Windows devices exposed to privilege escalation. The flaw in Microsoft Defender can let an authorized attacker elevate to SYSTEM and take over a targeted machine. Microsoft patched the issue on April 14, but the KEV update shows active abuse is still occurring.
Related Happenings
Microsoft Defender RoguePlanet security update (CVE-2026-50656)
Security Patch Release
H score32
First: 17.06.2026 20:36
Last: 17.06.2026 20:36
Sources 1
About this happening:
**Microsoft** is preparing a **security update** for **Microsoft Defender** to address **CVE-2026-50656**, a **privilege-escalation** flaw in the **Microsoft Malware Protection En...
Microsoft Defender RoguePlanet security update (CVE-2026-50656)
Security Patch ReleaseAbout this happening: **Microsoft** is preparing a **security update** for **Microsoft Defender** to address **CVE-2026-50656**, a **privilege-escalation** flaw in the **Microsoft Malware Protection En...
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
Vulnerability
H score32
First: 17.06.2026 11:32
Last: 17.06.2026 11:32
Sources 1
About this happening:
A **Microsoft Defender** zero-day tracked as **CVE-2026-50656** can elevate privileges to **SYSTEM** on **fully patched Windows 10 and Windows 11** devices. Microsoft says it is *...
Microsoft Malware Protection Engine race-condition elevation-of-privilege remote code execution flaw (CVE-2026-50656)
VulnerabilityAbout this happening: A **Microsoft Defender** zero-day tracked as **CVE-2026-50656** can elevate privileges to **SYSTEM** on **fully patched Windows 10 and Windows 11** devices. Microsoft says it is *...
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Microsoft Windows June 2026 Patch Tuesday zero-day fixes (multiple vulnerabilities)
Security Patch Release
H score40
First: 10.06.2026 12:57
Last: 10.06.2026 12:57
Sources 1
About this happening:
**Microsoft**'s **June 2026 Patch Tuesday** fixed **three Windows zero-days** that could yield **SYSTEM** access or bypass **BitLocker** on vulnerable systems.
Microsoft Windows June 2026 Patch Tuesday zero-day fixes (multiple vulnerabilities)
Security Patch ReleaseAbout this happening: **Microsoft**'s **June 2026 Patch Tuesday** fixed **three Windows zero-days** that could yield **SYSTEM** access or bypass **BitLocker** on vulnerable systems.
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
Vulnerability
H score39
First: 10.06.2026 02:11
Last: 10.06.2026 02:11
Sources 1
About this happening:
Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
VulnerabilityAbout this happening: Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Latest development: 10.06.2026 08:22
The anonymous security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, released a proof-of-concept (PoC) exploit for the Microsoft Defender zero-day RoguePlanet under a new GitHub account named MSNightmare. The race-condition exploit can yield a SYSTEM-level shell and arbitrary code execution when it succeeds, has been tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed, and currently does not work on Windows Server without redesign because standard users cannot mount an ISO image.
Timeline
-
30.06.2026 11:53 1 articles · 3h ago
Microsoft patches BlueHammer privilege-escalation flaw
Mitigation Patch UpdateMicrosoft patched BlueHammer (CVE-2026-33825) in the April 2026 Patch Tuesday, closing a Microsoft Defender access-control flaw that could let an authorized attacker elevate privileges locally and reach the Security Account Manager (SAM) database.
Show sources
- CISA: Windows BlueHammer flaw now exploited by ransomware gangs — www.bleepingcomputer.com — 30.06.2026 11:53
-
30.06.2026 11:53 1 articles · 3h ago
CISA adds BlueHammer to the KEV Catalog
Legal Policy Action UpdateCISA added BlueHammer (CVE-2026-33825) to its Known Exploited Vulnerabilities (KEV) Catalog on April 22 and ordered Federal Civilian Executive Branch (FCEB) agencies to patch affected Windows devices by May 7 after ongoing attacks were identified.
Show sources
- CISA: Windows BlueHammer flaw now exploited by ransomware gangs — www.bleepingcomputer.com — 30.06.2026 11:53
-
30.06.2026 03:00 2 articles · 12h ago
CISA flags BlueHammer as exploited in ransomware campaigns
Campaign Scope UpdateCISA's Monday KEV update said ransomware gangs are exploiting BlueHammer (CVE-2026-33825) against Microsoft Defender on Windows devices, extending earlier zero-day abuse into ransomware campaigns.
Show sources
- CISA: Windows BlueHammer flaw now exploited by ransomware gangs — www.bleepingcomputer.com — 30.06.2026 11:53
- CISA: Windows BlueHammer flaw now exploited by ransomware gangs — www.bleepingcomputer.com — 30.06.2026 11:53