CISA has confirmed that ransomware operators are actively exploiting CVE-2026-33825, a privilege-escalation vulnerability in Microsoft Defender that's been given the nickname BlueHammer. The flaw doesn't get an attacker into a machine on its own, it's used after initial access to jump from a limited foothold to full administrative control, which is precisely the step that turns a contained incident into a full-blown ransomware deployment.
This is what makes privilege-escalation bugs in security software particularly frustrating: Defender is meant to be the thing stopping the attack, not a stepping stone through it. It's a reminder that every piece of software running with elevated privileges, security tools included, is itself part of the attack surface.
Any organisation running Windows with Microsoft Defender, which is to say most organisations running Windows at all, since Defender ships built in and is the default for many. The exploitation reported so far has come after attackers already achieved some initial access through other means, so this is a mid-chain escalation tool rather than an entry point, but it's a well-used one.
Microsoft patches Defender through a separate update channel from the main Windows security updates, which trips people up. Go to Settings, then Windows Update, then Advanced options, and confirm that "Receive updates for other Microsoft products" is switched on. Without it, Defender's own engine and platform updates, including the fix for this flaw, may not be applied even if your OS shows as fully up to date. It takes thirty seconds to check and it's worth doing on every managed machine in your organisation, not just your own.