A proof-of-concept (PoC) exploit, known as BlueHammer, has emerged on GitHub, attributed to the user handles Chaotic Eclipse and Nightmare Eclipse. This exploit targets a local privilege escalation vulnerability in Windows that remains unpatched, raising concerns within the cybersecurity community. While the PoC is described as buggy, several security researchers have successfully modified it to function on updated versions of Windows 10, 11, and Windows Server. The pressing question now is whether Microsoft is actively working on a fix for this vulnerability.
The BlueHammer PoC exploit in action
The initial disclosure of the BlueHammer vulnerability appears to have been made to Microsoft, but complications in the disclosure process led to the public release of the exploit. Chaotic/Nightmare Eclipse noted, “There are few bugs in the PoC that could prevent it from working; I might fix them later.”
Vulnerability analyst Will Dormann has confirmed that the exploit operates effectively, even on Windows Server, although it does not grant SYSTEM privileges on that platform, only administrative access. Researchers Rahul Ramesh and Reegun Jayapaul from Cyderes’ Howler Cell team have addressed issues within the PoC source code and conducted successful tests.
According to Ramesh and Jayapaul, the exploit’s mechanism is quite straightforward: it manipulates Microsoft Defender to create a new Volume Shadow Copy, pauses Defender at a critical moment, and then accesses sensitive registry hive files from that snapshot before Defender can intervene. This process enables the extraction and decryption of stored NTLM password hashes for local accounts, allowing for the alteration of a local Administrator’s password and subsequent login to that account.
Once logged in, the exploit duplicates the security token of the Administrator, assigns it SYSTEM integrity levels, and utilizes CreateService to establish a malicious temporary Windows Service. This service executes the PoC executable again, ultimately spawning a cmd.exe instance running as NT AUTHORITYSYSTEM within the user’s current session. To cover its tracks, the exploit employs SamiChangePasswordUser to restore the original NTLM password hash, maintaining the appearance of an unchanged password from the user’s perspective.
What to do?
Brian Hussey, Senior Vice President of the Cyber Fusion team at Cyderes, emphasizes that BlueHammer serves as a reminder that some of the most resilient zero-day vulnerabilities do not necessarily rely on traditional bugs. “This one turns Microsoft Defender’s own update workflow into a credential theft mechanism by chaining five legitimate Windows features in a sequence their designers never intended,” he explained in an interview with Help Net Security. He also noted that the Defender signature released since the exploit’s publication only detects the original exploit binary, meaning a simple recompilation could bypass detection, leaving the underlying zero-day technique undetected.
Until a genuine patch is available, Hussey advises security teams to focus on identifying behavioral fingerprints, such as:
- Volume Shadow Copy enumeration from user-space processes
- Unexpected Cloud Files sync root registrations
- Low-privileged accounts suddenly spawning Windows services
Ramesh and Jayapaul further recommend that organizations monitor for unexpected password changes on local Administrator accounts, especially those followed by rapid restoration. They stress the importance of enforcing least privilege policies rigorously. “BlueHammer requires local access to execute. The attack chain begins from a standard user context, so limiting what compromised user accounts can interact with—particularly Cloud Files APIs and VSS interfaces—meaningfully reduces the attack surface,” they noted.
Currently, there are no public reports indicating that BlueHammer has been exploited by malicious actors. However, researchers caution that “ransomware operators and APT groups routinely weaponize public LPE PoC code within days of release,” suggesting that attacks may already be underway, albeit unnoticed. The silver lining is that the exploit cannot be executed by unauthenticated attackers; however, determined individuals can often circumvent this barrier through credential theft, social engineering, and other means.
We have reached out to Microsoft for a statement regarding the situation and will provide updates as they become available.
UPDATE (April 8, 2026, 05:15 p.m. ET):
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible. We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community,” a Microsoft spokesperson stated in response to inquiries from Help Net Security.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!
