BlueHammer: Windows zero-day exploit leaked

A buggy but functional proof-of-concept (PoC) exploit for an unpatched Windows local privilege escalation vulnerability dubbed BlueHammer has been published on GitHub by someone who goes by the handle Chaotic Eclipse and Nightmare Eclipse.

Several security researchers have fixed the bugs in the exploit and made it work on patched Windows 10, 11, and Windows Server systems, and the question now is whether Microsoft is planning or working on a fix.

The BlueHammer PoC exploit in action

The bug hunter’s post seems to imply that the BlueHammer vulnerability, which currently has no CVE identifier, was first disclosed to Microsoft, but unspecified problems with the disclosure process apparently made them publish the exploit.

“There are few bugs in the PoC that could prevent it from working, might fix them later,” Chaotic/Nightmare Eclipse wrote.

Vulnerability analyst Will Dormann confirmed that the published exploit works “well enough”, even on Windows Server, though on that platform it does not lead to SYSTEM privilages but “merely” to admin.

Rahul Ramesh and Reegun Jayapaul of Cyderes’ Howler Cell team also resolved the issues in the provided PoC source code and successfully tested it.

“The goal of the exploit chain is straightforward: force Microsoft Defender to create a new Volume Shadow Copy, pause Defender at precisely the right moment, then access sensitive registry hive files from that snapshot before Defender can clean up,” they explained.

This allows the exploit to extract and decrypt the stored NTLM password hashes for local accounts, change a local Administrator’s password and log in into that account.

The exploit then uses this account to duplicate the security token of the Administrator, assign it SYSTEM integrity levels, and use CreateService to create a malicious temporary Windows Service, which will execute the PoC executable again and spawn a cmd.exe instance running as NT AUTHORITY\\SYSTEM in the user’s current session.

“Finally, to hide its tracks, it uses SamiChangePasswordUser again to restore the original NTLM password hash it dumped earlier, leaving the user’s password unchanged from their perspective,” they concluded.

What to do?

Brian Hussey, SVP of the Cyber Fusion team at Cyderes, notes that BlueHammer is a reminder that the most durable zero-days don’t always need a bug.

“This one turns Microsoft Defender’s own update workflow into a credential theft mechanism by chaining five legitimate Windows features in a sequence their designers never intended,” he told Help Net Security, and added that the Defender signature Microsoft pushed out since the exploit was released only catches the original exploit binary.

“A basic recompile defeats it, leaving the underlying zero-day technique completely undetected. Until a real patch arrives, security teams should be hunting for the behavioral fingerprints: Volume Shadow Copy enumeration from user-space processes, unexpected Cloud Files sync root registrations, and low-privileged accounts suddenly spawning Windows services,” he advised.

Ramesh and Jayapaul also advised organizations to watch for unexpected password changes on local Administrator accounts followed by rapid restoration, and to enforce least privilege aggressively.

“BlueHammer requires local access to execute. The attack chain begins from a standard user context, so limiting what compromised user accounts can interact with – particularly Cloud Files APIs and VSS interfaces – reduces the attack surface meaningfully,” they noted.

There’s currently no public reports of BlueHammer being exploited by attackers but, as the researchers pointed out, “ransomware operators and APT groups routinely weaponize public LPE PoC code within days of release,” which means that attacks may already be in progress and are still flying under the radar.

The only good news here is that the exploit cannot be leveraged by unauthenticated attackers, but resourceful attackers can (and often do) find a way over that hurdle by stealing credentials, using social engineering, and so on.

We’ve reached out to Microsoft for a comment on the situation, and we’ll update this article when we hear back from them.

UPDATE (April 8, 2026, 05:15 p.m. ET):

“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible. We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community,” a Microsoft spokesperson told Help Net Security.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!