Protect.Computer
NEWS

BlueHammer: leaked Windows zero-day gives attackers SYSTEM privileges — no patch yet

· 3 min read · Privilege escalation Local code execution
BlueHammer: leaked Windows zero-day gives attackers SYSTEM privileges — no patch yet

Photo by protect.computer (custom explainer graphic) on protect.computer

What happened

A security researcher operating under the aliases Chaotic Eclipse and Nightmare-Eclipse publicly released working exploit code for an unpatched Windows privilege escalation vulnerability, dubbed BlueHammer, after growing frustrated with how Microsoft’s Security Response Center (MSRC) handled the disclosure.

The researcher published the exploit GitHub repository on April 3, 2026, with a pointed message: “I was not bluffing Microsoft, and I’m doing it again.”

Will Dormann, principal vulnerability analyst at Tharros, confirmed the exploit works. He described BlueHammer as a local privilege escalation (LPE) flaw that chains two weaknesses:

  • A TOCTOU (time-of-check to time-of-use) race condition
  • A path confusion issue

The combination gives an attacker read access to the Security Account Manager (SAM) database, which stores NTLM password hashes for all local Windows accounts. From there, escalation to SYSTEM-level privileges is straightforward — enabling the attacker to spawn privileged shells and achieve complete machine compromise.

What systems are affected

  • Windows 11 workstations — independently confirmed by multiple researchers
  • Windows Server appears largely unaffected; testing showed the exploit fails on Server or only elevates non-admin to elevated administrator rather than full SYSTEM

Microsoft had not responded with a patch or public statement as of publication time. Since no fix exists, this is a true zero-day by any standard definition.

Why this matters

The PoC code is now publicly available on GitHub. That changes the threat model significantly:

  • Previously, exploiting this flaw required deep technical knowledge
  • With working code in the open, script-level attackers can adapt it, even with the noted bugs
  • BlueHammer requires local access, but local access is routinely achieved through phishing, malware droppers, and compromised remote-access sessions

An attacker who already has a foothold — say, via a phishing email or a compromised third-party tool — can now use BlueHammer to move from a low-privileged user account to full SYSTEM control in a single step.

How to check if you’re affected

Affected systems

  • Windows 11 workstations (all recent builds — no specific build exclusions confirmed)
  • Any environment where non-admin users or service accounts could be leveraged by a local attacker

Concrete verification steps (15–30 minutes)

  1. Confirm your Windows version

    • Run winver (Win + R → winver) on endpoint systems
    • Document whether devices are Windows 11 workstations or Windows Server
    • Server editions appear lower-risk based on current testing

  2. Assess your local-access attack surface

    • Who has interactive or RDP sessions on Windows 11 machines?
    • Are there shared workstations, VDI environments, or admin tools that run under low-privilege accounts?
    • Review users with local (non-admin) access — any of them is a potential launcher

  3. Check for SAM-access or credential-dumping activity

    • Enable or review Windows Event Log for events involving the SAM hive (Event ID 4656, 4663 on \SAM)
    • Check for unusual lsass.exe or registry access patterns via EDR telemetry
    • Look for lateral movement (pass-the-hash attempts) from workstations after a possible exploit

  4. Tighten local-access controls immediately

    • Enforce principle of least privilege — remove unnecessary local accounts
    • Enable Credential Guard on Windows 11 Enterprise/Education (partially mitigates SAM abuse)
    • Require Secure Boot and ensure UEFI integrity is verified
    • Use Local Administrator Password Solution (LAPS) to randomize local admin passwords across endpoints

  5. Monitor the GitHub repository and Microsoft MSRC

    • Track the Nightmare-Eclipse repository for updates or additional exploit variants
    • Watch the MSRC security update guide for an out-of-band patch announcement
    • Subscribe to CISA alerts if a KEV addition occurs

Immediate defensive actions

  • Deploy Credential Guard where supported to reduce the impact of SAM-database exposure
  • Audit local account usage — rotate passwords for any shared local accounts now
  • Heighten EDR alerts for suspicious registry and SAM-related access on Windows 11 endpoints
  • Apply defense-in-depth: ensure attackers cannot easily get local access in the first place (patch other vulns, harden phishing defenses, limit RDP exposure)

Bottom line

BlueHammer has no patch and confirmed working PoC code. It targets a very common OS (Windows 11), and the exploit’s public availability lowers the bar for abuse. Until Microsoft ships a fix, focus on preventing local attacker access and detecting SAM-related activity on your endpoints.

Sources

Related reading

News
TrueConf CVE-2026-3502 zero-day abused to push malicious updates from trusted servers

Researchers report active exploitation of CVE-2026-3502 in TrueConf, where attackers can abuse an on-prem server trust path to deliver malicious client updates to connected endpoints.

News
CISA adds Trivy CVE-2026-33634 to KEV after supply-chain compromise

CISA added CVE-2026-33634 affecting Aqua Security Trivy to the Known Exploited Vulnerabilities catalog, signaling active exploitation risk and urgent patching/credential-rotation needs.

News
Google patches CVE-2026-5281, the fourth actively exploited Chrome zero-day of 2026

Google released Chrome 146.0.7680.177/178 to fix CVE-2026-5281, a high-severity Dawn use-after-free vulnerability with confirmed in-the-wild exploitation.

News
Telegram ZDI-CAN-30207: critical zero-click claim appears in coordinated disclosure window

A new ZDI entry (ZDI-CAN-30207) lists a critical-severity Telegram issue under coordinated disclosure; technical details remain withheld and Telegram has publicly disputed sticker-based exploitation claims.