CISA updated the Known Exploited Vulnerabilities (KEV) entry for CVE-2026-33825, the Windows Defender local-privilege-escalation (LPE) flaw known as BlueHammer, to confirm that ransomware gangs now exploit it for SYSTEM-level access before deploying encryptors. Microsoft patched the flaw on 14 April and CISA listed it on 22 April. It was disclosed by a researcher using the handle Chaotic Eclipse, whose run of Microsoft bugs produced a fifth unpatched zero-day last month . 1
The flaw works as a time-of-check-to-time-of-use race in Defender's remediation engine: the software checks a file's status, then acts on it a moment later, and an attacker swaps the target in between. On its own an LPE does nothing. Chained after an initial break-in, it hands an attacker the SYSTEM rights needed to switch off defences and encrypt at will. That is why the update matters: it turns a three-month-old patch that many programmes deprioritised into a live step in a working ransomware chain.
