CISA has ordered U.S. federal agencies to patch a Microsoft Defender privilege escalation flaw (dubbed BlueHammer) that has been exploited in zero-day attacks.

BleepingComputer

CISA has mandated that U.S. federal agencies patch CVE-2026-33825, a Microsoft Defender privilege escalation flaw dubbed BlueHammer, within two weeks (by May 7). The vulnerability allows low-privileged local attackers to gain SYSTEM permissions. It was publicly disclosed as a zero-day by researcher 'Chaotic Eclipse' after a dispute with Microsoft's Security Response Center, and Microsoft patched it on April 14 Patch Tuesday. Huntress Labs confirmed active exploitation in real attacks, with evidence of hands-on threat actor activity linked to suspicious FortiGate SSL VPN access and a Russian-geolocated source IP. Two additional related flaws (RedSun and UnDefend) were also disclosed by the same researcher.

CISA orders feds to patch BlueHammer flaw exploited as zero-day