CISA confirms BlueHammer (CVE-2026-33825) is now used in ransomware attacks to gain SYSTEM privileges through Microsoft Defender.BlueHammer, tracked as CVE-2026-33825, has moved from proof-of-concept noise to real ransomware attacks in the wild, the US CISA confirms.BlueHammer allows attackers to escalate privileges locally in Microsoft Defender. The vulnerability, along with two other zero-days dubbed RedSun, and UnDefend, was disclosed by a researcher known as Chaotic Eclipse after criticizing Microsoft’s handling of the disclosure.In Mid April, Huntress researchers reported attackers were exploiting the three Windows flaws to target systems, though the victims and attackers remain unknown.Huntress said it saw real-world exploitation of all three flaws. Attackers used BlueHammer starting April 10, 2026, then followed with RedSun and UnDefend proof-of-concept exploits on April 16.Researchers believe attackers are using public exploit code released online by Chaotic Eclipse.The controversial researcher Chaotic Eclipse publicly disclosed multiple Microsoft-related issues before patches were ready. CISA added the BlueHammer flaw to its Known Exploited Vulnerabilities catalog on April 22 and later updated the entry to note ransomware use. BlueHammer is dangerous because it can give attackers full SYSTEM-level access. With this control, ransomware groups can turn off security tools, install malware, and spread further inside the infected device.The US agency did not provide technical details about the attacks exploiting this issue or the ransomware group behind them.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, newsletter)