Vulnerabilities

BlueHammer Windows Zero-Day Exploited Six Weeks Before Microsoft Knew

4 Min Read / April 9, 2026

BlueHammer Windows Zero-Day Exploited Six Weeks Before Microsoft Knew

A frustrated security researcher has released working exploit code for an unpatched Windows vulnerability that allows attackers to escalate from ordinary user accounts to full SYSTEM privileges. The researcher, operating under the alias Chaotic Eclipse, published the code on GitHub after Microsoft reportedly dismissed their private vulnerability report.

The zero-day, dubbed BlueHammer, exploits Windows Defender’s own update process to gain access to the Security Account Manager database and crack administrator passwords. It is confirmed that the exploit works, though the proof-of-concept contains deliberate bugs that reduce its reliability. Security researcher Will Dormann independently verified that the flaw escalates a local attacker to SYSTEM privileges in under a minute.

Microsoft’s Vulnerability Team Is Not What It Used to Be

The public disclosure stems from what the researcher describes as a breakdown in communication with Microsoft’s Security Response Center. Security researcher Will Dormann suggested on Mastodon that MSRC “used to be quite excellent to work with” but that cost-cutting has left only “flowchart followers” in place of the skilled security professionals who once handled vulnerability reports.

The researcher alleges that Microsoft closed their case after they declined to submit a video demonstration of the exploit which has reportedly become an MSRC requirement. According to Cybernews, Microsoft later clarified that video demonstrations help assess impact but are not mandatory for vulnerability submissions.

This marks a pattern of declining quality in Microsoft’s vulnerability handling that deserves more scrutiny than it receives. The researcher’s frustration is understandable, responsible disclosure only works when the vendor responds responsibly.

The Flaw Chains Five Legitimate Windows Features

BlueHammer is not a traditional software bug. According to Cyderes analysts, the exploit chains together five legitimate Windows components including Microsoft Defender, Volume Shadow Copy Service, Cloud Files callbacks and opportunistic locks, in a sequence their designers never intended. Each piece works as designed; the vulnerability only emerges when they interact in the right timing.

During Defender’s update process, the exploit uses Cloud Files callbacks and oplocks to pause the security software at precisely the moment it creates a Volume Shadow Copy snapshot. This leaves the snapshot mounted with the SAM, SYSTEM and SECURITY registry hives accessible, files that are normally locked during system operation. The attacker can then dump password hashes, crack them offline and use a compromised administrator account to spawn a SYSTEM-level shell.

Security testing by multiple researchers confirmed the exploit works across Windows versions, though success rates vary by system configuration. On Windows Server platforms, the exploit achieves administrative rather than SYSTEM privileges in some cases.

Ransomware Groups Will Have This Within Days

As Cyderes notes, “ransomware operators and APT groups routinely weaponise public LPE PoC code within days of release.” The public availability of working exploit code means threat actors can quickly adapt it for use in malware campaigns or post-exploitation frameworks.

Local privilege escalation vulnerabilities are particularly valuable to attackers because they bridge the gap between initial compromise and meaningful system control. An attacker who gains access through phishing or a web exploit typically lands with limited user privileges. BlueHammer can elevate that foothold to complete system control.

Microsoft has issued no patch, assigned no CVE and provided no timeline for a fix. The company’s only public response has been a generic statement about supporting “coordinated vulnerability disclosure”, a notable phrasing given that this disclosure was anything but coordinated.

What Windows Administrators Should Do

There is no patch available. Microsoft has not acknowledged the vulnerability beyond generic statements to news outlets. Until a fix becomes available, the most effective mitigation is restricting local user access wherever possible and monitoring for suspicious process activity.

The exploit requires local access to succeed, but attackers routinely combine privilege escalation flaws with initial access techniques like stolen credentials or social engineering. Organisations should treat any local account compromise as potentially escalating to SYSTEM privileges until Microsoft releases a patch.

Enable detailed process monitoring on critical systems and watch for unusual activity around Windows Defender update processes. The exploit’s interaction with Volume Shadow Copy services may generate detectable audit events, though a determined attacker could modify the technique to reduce its forensic footprint.