CISA updated its Known Exploited Vulnerabilities entry for CVE-2026-33825 on June 30 to add a ransomware campaign flag — confirming that ransomware operators are now actively weaponizing the Windows Defender privilege escalation flaw known as BlueHammer as part of their attack chains.
BlueHammer’s Path From Microsoft Defender to the SAM Database
CVE-2026-33825, tagged “BlueHammer,” is a privilege escalation vulnerability in Microsoft Defender that stems from insufficient access control granularity. An authorized local user on a vulnerable system can exploit the flaw to escalate their privileges beyond what their account should permit. Once escalated, exploitation provides access to the Security Account Manager database — the Windows component that stores local account password hashes — and achieves what CISA’s advisory describes as “complete control of the targeted system.”
The flaw’s position inside Microsoft Defender, the primary endpoint security product shipped with every modern Windows installation, creates an operational problem for organizations that depend on Defender as their first line of defense. An attack that abuses Defender’s own privilege structure may not trigger the same detection logic that Defender applies to external attacker tools — the trusted security software becomes the avenue through which privilege is obtained.
How CVE-2026-33825 Went From PoC Leak to Ransomware Campaign
The BlueHammer vulnerability followed an accelerated trajectory from initial discovery to confirmed ransomware use. A proof-of-concept was first leaked in early April 2026, prior to any official disclosure. Microsoft responded by releasing a patch on April 14. Despite the rapid patch availability, zero-day exploitation was confirmed within days of the patch release — indicating threat actors were already aware of and actively using the vulnerability before Microsoft published the fix.
CISA initially added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog on April 22, setting a mandatory federal remediation deadline of May 7. The June 30 update is a material escalation of that original entry: CISA has now confirmed that ransomware threat groups are actively incorporating BlueHammer into their intrusion chains, using the privilege escalation to move laterally and deepen their access within victim environments.
Why Ransomware Operators Value SAM Database Access During Attacks
Ransomware intrusion chains typically involve multiple phases: initial access, privilege escalation, lateral movement, and payload deployment. CVE-2026-33825 is particularly useful at the privilege escalation and lateral movement stages. Access to the SAM database yields local account password hashes that can be cracked offline or used directly in pass-the-hash attacks to authenticate to other systems on the same network without knowing the plaintext passwords.
For ransomware operators targeting enterprise environments, obtaining SAM database hashes from one compromised workstation can provide credentials that unlock access to additional machines — broadening the ransomware deployment footprint and increasing the volume of encrypted systems before detection and response can interrupt the campaign.
Organizations That Missed the May 7 Deadline Now Face Ransomware Operators
The June 30 CISA update arrives nearly two months after the original May 7 federal remediation deadline. Any organization that had not applied the Microsoft April 14 patch by May 7 has now had the consequences of that delay confirmed: ransomware groups are using the unpatched flaw in live attacks.
Microsoft’s patch for CVE-2026-33825 has been available since April 14. Organizations that remain unpatched should treat the CISA ransomware campaign flag as confirmation that their unpatched Defender installations are active targets. Applying the patch is the only complete remediation; no configuration change or supplementary detection rule substitutes for the fix to the underlying access control flaw.
Security teams should also audit for indicators of SAM database access consistent with BlueHammer exploitation, particularly on systems where privilege escalation attempts were logged around or after the April 14 patch release date. The compressed timeline from PoC leak to zero-day exploitation suggests early-stage attacks may have preceded patch application in environments that moved slowly on the April update.
