On the same Tuesday in June 2026 that Microsoft pushed 138 security patches to hundreds of millions of Windows machines, a security researcher went public with two vulnerabilities that none of those patches fixed. One of the flaws, tracked as CVE-2026-33825 and nicknamed BlueHammer, already has a formal entry in the National Vulnerability Database. The other has no official CVE record at all. Together, they left system administrators in an uncomfortable spot: scrambling to deploy a historically large patch bundle while two freshly disclosed attack surfaces sat wide open with no fix in sight.
What is confirmed about CVE-2026-33825
The strongest evidence centers on BlueHammer. CVE-2026-33825 is formally cataloged in the NVD, the U.S. government’s vendor-neutral registry of software flaws, maintained by NIST’s Information Technology Laboratory. That listing gives the vulnerability an official identifier, links to reference advisories, and feeds directly into the automated scanning tools that federal agencies and large enterprises use to prioritize their patching queues. Any organization pulling NIST data feeds into its vulnerability management platform would already see CVE-2026-33825 flagged, likely with a stark note: no vendor patch available.
Based on its NVD classification, BlueHammer affects Windows components in a way that could let an attacker execute code or escalate privileges on a target system. Security teams have cross-referenced the CVE across multiple disclosure threads, and the record connects to government and industry publications that feed compliance and scanning frameworks. As of this writing, the NVD entry for CVE-2026-33825 does not list a finalized CVSS score or CWE classification; the record’s analysis status still shows as awaiting further review by NIST analysts. Microsoft has not published its own severity rating or a vendor advisory acknowledging the flaw.
The second zero-day is still a question mark
Far less is known about the second vulnerability disclosed alongside BlueHammer. It has no confirmed NVD entry, no assigned CVE number from a recognized numbering authority, and no public vendor advisory. Its affected Windows versions, technical scope, and severity are drawn from secondary accounts rather than authoritative records. The researcher who published both flaws has not been identified by name in any primary source reviewed for this report; secondary coverage references an anonymous handle, and no verified identity or original disclosure post has been linked in the NVD record or in Microsoft’s advisories. Until the flaw receives its own formal CVE assignment or Microsoft issues an acknowledgment, its real-world risk is difficult to assess with any precision.
Why the timing matters
Microsoft’s June 2026 Patch Tuesday addressed 138 vulnerabilities across its product line, according to the company’s Security Update Guide, placing it among the company’s larger monthly releases. (For comparison, Microsoft patched 149 CVEs in April 2024 and routinely ships between 70 and 130 fixes per month.) Organizations that applied every available update that day still walked away exposed to at least two actively discussed attack surfaces.
The researcher’s decision to publish on Patch Tuesday, rather than through a coordinated disclosure process where the vendor is privately notified and given time to prepare a fix, is a deliberate choice that the security community debates fiercely. Full disclosure, as the practice is known, typically signals either a breakdown in communication with the vendor or a calculated move to pressure faster action. Without an on-the-record statement from the researcher explaining the timing, both readings remain open.
Microsoft has not publicly explained why neither flaw appeared in the 138-patch bundle. Patch Tuesday releases are planned weeks ahead, and late-arriving vulnerability reports often miss the cutoff. Whether Microsoft knew about CVE-2026-33825 before the researcher went public, and how long the flaw may have sat in an internal queue, is a gap only the company can close.
No confirmation yet on active exploitation
A critical unknown is whether either vulnerability is already being used by attackers. When a zero-day is exploited in the wild before disclosure, the pressure for an emergency out-of-band patch spikes. CISA, the federal agency that issues binding operational directives for actively exploited flaws, has not added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog as of this writing, and has not issued any public statement on either flaw. Microsoft’s Security Response Center has not flagged active exploitation either. This report’s author was unable to confirm whether the disclosing researcher contacted Microsoft or CISA before going public; neither organization has referenced prior notification in any advisory or public comment reviewed for this article. That silence does not mean exploitation is not happening; it means defenders are making risk decisions without a definitive answer.
What defenders should do right now
The first step is the obvious one: deploy the 138 Patch Tuesday fixes as fast as operational constraints allow. Those updates close a wide range of entry points that attackers could chain with a BlueHammer-style exploit, and delaying them only widens the window of exposure.
Beyond that, security teams should monitor the NVD entry for CVE-2026-33825 for any changes to its severity score, CWE classification, affected product list, or reference links, and watch Microsoft’s Security Update Guide for an out-of-band advisory. For the undocumented second flaw, the signal to watch for is a formal CVE assignment or an alert from a sector-specific information sharing organization.
Compensating controls fill the gap until a patch arrives. Depending on how BlueHammer is ultimately characterized, those controls could include restricting network exposure for affected services, tightening local privilege policies, hardening remote access pathways, or increasing logging around the implicated Windows components. Organizations running NIST-aligned workflows will already see CVE-2026-33825 in their dashboards and can use that flag to document interim mitigations, track risk exceptions, and brief leadership.
Disclosure fights do not change the math for defenders
Debates over whether the researcher acted responsibly will continue long after a patch ships. What does not change is the arithmetic facing every Windows shop: two unpatched flaws are now public knowledge, one of them formally cataloged by the federal government, and attackers read the same databases defenders do. The existence of a government-maintained record for CVE-2026-33825 gives security teams a common reference point. The job now is turning that reference into prioritized, documented action before someone else turns it into an exploit.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
