Microsoft Defender users are advised to update their software after discovering a security flaw known as BlueHammer was used in ransomware attacks. The weakness with identifier CVE-2026-33825 has been added to the list of flaws actively used by malicious actors. It is part of the growing trend of ransomware attackers using zero-day issues.
The issue was uncovered after the cybersecurity researcher, otherwise known as Chaotic Eclipse or Nightmare Eclipse, shared the information regarding another vulnerability before the update was released. The same individual has criticized Microsoft several times over their approach to disclosure of security weaknesses. The researcher has published multiple posts about actively used problems prior to the official date of their resolution.
Microsoft published the details regarding BlueHammer on April 2nd, whereas the security update was released on April 14th. The flaw was categorized as a privilege escalation vulnerability with the ability to escalate the privileges of an authenticated attacker. However, Microsoft updated the description, specifying the risk as more likely than not, while refraining from officially acknowledging active exploitation.
According to the independent security researchers, the vulnerability was actively used by ransomware operators before the release of the mentioned security update. The evidence came from the report by the Huntress team, which discovered multiple attacks that incorporated CVE-2026-33825 as a zero-day exploit. This information has prompted the addition of the weakness to the CISA’s Known Exploited Vulnerabilities (KEV) list on April 22nd, with the updated listing providing the additional context of ransomware attacks.
Despite the confirmation of ransomware attacks, the one issued by CISA does not indicate what group may be responsible for them. There is no public evidence linking BlueHammer to any known ransomware group or family. In spite of that, the weakness has been actively used in ransomware operations. At the same time, it is unclear whether other ransomware groups have used it or may be using it currently.
The issue has also prompted the debate over the response to such incidents, with the critics suggesting that the defenders and security researchers are not notified when the weaknesses are added to the ransomware operations.
In practice, the CISA only updates the KEV list periodically. It does not provide threat intelligence and response support for individual organizations every time when the weakness is added to the list. Some security experts have stated that the better alternative would be to notify the defenders directly. In the meantime, a threat intelligence company GreyNoise has announced the availability of a free service that monitors the KEV list for changes, indicating when the weakness is updated to include the details of a ransomware attack.
The discovery of BlueHammer presents an illustrative example of how fast the ransomware attackers can adopt and incorporate the newly discovered vulnerabilities into their operations. Experts advise the defenders to always remain alert, apply the Microsoft security updates in a timely manner and monitor the threats intelligence channels for the relevant weaknesses. The ransomware operators continue to pursue the opportunities, which render the prompt response to the updates crucial.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article:
