What Happened
CISA flagged CVE-2026-33825, the Microsoft Defender privilege escalation flaw known as BlueHammer, as exploited in ransomware attacks. The flaw stems from insufficient granularity of access control in Defender and lets a low-privileged local attacker gain SYSTEM permissions on unpatched Windows devices. Researcher “Nightmare Eclipse” leaked the vulnerability with proof-of-concept code in early April. Microsoft patched it on April 14, and CISA added it to the Known Exploited Vulnerabilities catalog on April 22 with a May 7 federal remediation deadline. The new ransomware designation raises the stakes. CISA has not named the group behind the attacks, and Microsoft has yet to tag the flaw as exploited.
Why This Matters for Canadian Organizations
Defender ships with every Windows endpoint, so this flaw sits inside almost every Canadian enterprise, government department, hospital, and school board fleet. Privilege escalation bugs act as force multipliers in ransomware intrusions. An attacker who lands a foothold through phishing or a stolen credential uses BlueHammer to reach SYSTEM, disable defences, move laterally, and stage encryption. The two-month gap since the patch shipped means exploitation now concentrates on organizations with slow update cycles — a pattern Canadian incident responders see repeatedly.
A ransomware incident touching personal information triggers breach assessment and notification obligations under PIPEDA. Federally regulated financial institutions also carry OSFI B-13 expectations for prompt remediation of exploited vulnerabilities, and BlueHammer now sits squarely in the exploited category.
What to Do
Confirm the April 14 Windows security updates and the current Defender Malware Protection Engine version are deployed across your fleet, including servers and remote endpoints outside regular patch rings. Hunt for unexpected SYSTEM-level process creation and Defender service tampering dating back to early April, when the proof-of-concept went public. Treat any unpatched device as a candidate for isolation until updated.
Read the full report at BleepingComputer.






