Unpatched 'BlueHammer' Windows Zero-Day Lets Local Users Escalate to Admin — PoC Is Public

Introduction

A researcher using the alias "Chaotic Eclipse" has publicly released exploit code for an unpatched Windows zero-day dubbed "BlueHammer." The flaw combines a race condition and path confusion in Windows Defender's signature update system to let a local user dump password hashes from the SAM database and escalate to full administrator privileges. Microsoft has not yet released a patch, and security firms warn that ransomware gangs will likely weaponize the exploit within days.

What Happened

On April 2, Chaotic Eclipse published a blog post and a GitHub repository containing a working proof-of-concept for BlueHammer, citing frustration with Microsoft's Security Response Center (MSRC) over an unsatisfactory disclosure interaction. The vulnerability is a time-of-check to time-of-use (TOCTOU) race condition combined with path confusion in the way Windows Defender processes signature updates. When exploited, it allows a local user to access the Security Account Manager (SAM) database, extract NTLM password hashes, and perform a pass-the-hash attack to gain administrator rights — effectively giving the attacker complete control of the system.

Multiple researchers have confirmed the exploit works on Windows desktop systems, though it does not currently appear to work on Windows Server due to additional mitigations present on server platforms. The exploit is acknowledged to be less than 100% reliable, but Cyderes and Trend Micro's Zero Day Initiative both warn that skilled threat actors will resolve those issues quickly. Microsoft has pushed an update that makes exploitation "slightly harder to detect" according to the researcher, but has not fixed the underlying vulnerability.

Why It Matters

A local privilege escalation zero-day with public exploit code is one of the most dangerous scenarios for enterprise Windows environments. Attackers who gain initial access through phishing, a compromised browser, or any other foothold can chain BlueHammer to immediately escalate to admin — bypassing all user-level restrictions. Ransomware groups and APTs typically integrate working local privesc exploits into their toolkits within days of public release. The fact that this targets Windows Defender's own update mechanism is particularly ironic: the security tool itself becomes the attack surface. Until Microsoft patches this, every Windows desktop installation is potentially at risk.

Who Is Affected

  • All Windows desktop systems (Windows 10, Windows 11) with Windows Defender enabled
  • Enterprise environments where users have local access to workstations
  • Organizations relying on Windows Defender as their primary endpoint protection
  • Windows Server appears unaffected at this time due to additional platform mitigations

How to Protect Yourself

1. Monitor for SAM database access attempts

Watch for processes accessing C:\Windows\System32\config\SAM outside of normal system operations:

# Enable auditing on the SAM file
auditpol /set /subcategory:"File System" /success:enable /failure:enable

Then monitor Security Event Log for Event ID 4663 targeting the SAM path.

2. Restrict local user permissions where possible

Reduce the number of users with local interactive logon rights. Use Group Policy to limit who can log in locally:

Computer Configuration → Windows Settings → Security Settings
→ Local Policies → User Rights Assignment → "Allow log on locally"

3. Deploy credential guard and LSA protection

Credential Guard prevents NTLM hash extraction from memory. Enable it via Group Policy:

Computer Configuration → Administrative Templates
→ System → Device Guard → "Turn On Virtualization Based Security"
→ Set "Credential Guard Configuration" to "Enabled with UEFI lock"

Additionally, enable LSA protection:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f

Requires a reboot.

4. Watch for pass-the-hash activity

Monitor for Event ID 4624 with Logon Type 9 (NewCredentials) or Logon Type 3 from local addresses, which can indicate pass-the-hash usage:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 500 |
  Where-Object { $_.Properties[8].Value -eq 9 } |
  Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}

5. Apply the patch as soon as Microsoft releases it

Subscribe to Microsoft's Security Update Guide and prioritize this CVE the moment it is assigned and patched. Until then, the mitigations above reduce — but do not eliminate — the risk.

Source

'BlueHammer' Windows Exploit Signals Microsoft Disclosure Issues — Dark Reading