CISA Puts BlueHammer Zero-Day on KEV, Gives Agencies Three Weeks to Patch

CISA added the BlueHammer flaw to its Known Exploited Vulnerabilities catalog after confirming active zero-day exploitation in the wild. Federal civilian agencies now have a binding deadline under BOD 22-01 to apply the vendor patch or pull affected systems offline, typically a 21-day window from the KEV listing date.

KEV inclusion is the operational signal that matters here: it converts a CVE from a theoretical entry in a scanner into mandatory remediation work for federal networks, and it raises the bar for private-sector defenders who treat the catalog as a prioritization layer. Exploitation already in progress means detection engineering, not just patching — any environment that hasn’t rolled the fix should assume probing activity and hunt for post-exploitation artifacts rather than waiting on the maintenance window.

The broader pattern is unchanged: endpoint and defender-class products remain high-value targets precisely because they run with elevated privileges and broad telemetry access, so a bypass or code-execution bug in one ships the attacker directly past the control surface meant to catch them.