CISA Confirms CVE-2026-33825 Ransomware Exploitation Eight Days After Microsoft Patch
CISA documented ransomware use of CVE-2026-33825 after Huntress zero-day sightings. The case illustrates how public pre-patch disclosures by disgruntled researchers compress the window between publication and operational deployment against widely deployed EDR agents.
Huntress telemetry captured pre-patch exploitation of CVE-2026-33825 for privilege escalation inside enterprise environments. The flaw was publicly released April 2 by researcher Chaotic Eclipse after Microsoft declined coordinated disclosure timelines. CISA’s April 22 KEV entry was later amended to note ransomware operator usage, while Microsoft’s advisory still lists only “more likely” exploitation without confirming in-the-wild cases.
The disclosure pattern matches prior Chaotic Eclipse releases: public exploit code before vendor patch, followed by rapid adoption in commodity ransomware campaigns. Similar timelines appear in the SimpleHelp and Splunk Enterprise incidents where public proof-of-concept code preceded observed intrusions by days. GreyNoise sensors recorded scanning spikes for the affected Defender component within 72 hours of the April 2 disclosure.
Contract and procurement records show Microsoft Defender for Endpoint remains the default EDR on 60 percent of federal civilian agency endpoints per FY2024 FedRAMP data. This concentration creates a single point of failure when researcher frustration produces accelerated public drops.
Defenders should prioritize KEV entries over vendor “likely” language and monitor for follow-on lateral movement via the same authenticated escalation path.
Huntress: Observed exploitation of two additional Microsoft Defender components tied to the same researcher within 45 days
Sources (2)
- [1]Primary Source(https://www.securityweek.com/bluehammer-vulnerability-exploited-in-ransomware-attacks/)
- [2]Supporting Source(https://www.cisa.gov/known-exploited-vulnerabilities-catalog)