CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

BlueHammer Windows local privilege escalation zero-day exploit leaked

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Exploit code for an unpatched Windows privilege escalation vulnerability, tracked as BlueHammer, has been publicly released by a disgruntled security researcher. The flaw enables local attackers to escalate privileges to SYSTEM or elevated administrator levels, allowing full system compromise. Microsoft has not issued a patch, classifying the issue as a zero-day. The exploit combines a TOCTOU (time-of-check to time-of-use) and path confusion, granting access to the Security Account Manager (SAM) database to extract local account password hashes. The leak follows frustration with Microsoft’s Security Response Center (MSRC) over disclosure handling, with the researcher citing insufficient response as the trigger for public disclosure. The PoC code contains reliability issues, particularly on Windows Server platforms.

Timeline

  1. 06.04.2026 22:19 1 articles · 2h ago

    BlueHammer Windows LPE zero-day exploit leaked following MSRC disclosure dispute

    On April 3rd, exploit code for the unpatched BlueHammer Windows privilege escalation vulnerability was published by a researcher citing frustration with Microsoft’s Security Response Center (MSRC). The zero-day flaw combines TOCTOU and path confusion to grant SYSTEM privileges via SAM database access. Microsoft has not issued a patch, and the PoC contains bugs affecting reliability, particularly on Windows Server platforms.

    Show sources
    Open in new tab

Information Snippets

  • BlueHammer is an unpatched Windows local privilege escalation (LPE) zero-day vulnerability that grants SYSTEM or elevated administrator privileges to local attackers.

    First reported: 06.04.2026 22:19
    1 source, 1 article
    Show sources

  • The exploit combines TOCTOU and path confusion to access the SAM database, allowing extraction of local account password hashes for further compromise.

    First reported: 06.04.2026 22:19
    1 source, 1 article
    Show sources

  • The exploit code was publicly released on April 3rd by a researcher using aliases Chaotic Eclipse and Nightmare-Eclipse, citing dissatisfaction with Microsoft MSRC’s disclosure handling.

    First reported: 06.04.2026 22:19
    1 source, 1 article
    Show sources

  • Microsoft has not issued a patch for BlueHammer, classifying it as a zero-day under active exploitation threat.

    First reported: 06.04.2026 22:19
    1 source, 1 article
    Show sources

  • The PoC exploit contains bugs that may prevent reliable execution, particularly on Windows Server platforms, where it may only elevate from non-admin to elevated admin with user authorization.

    First reported: 06.04.2026 22:19
    1 source, 1 article
    Show sources

  • Will Dormann, principal vulnerability analyst, confirmed the exploit works and described its technical mechanics, including SAM database access and SYSTEM privilege escalation.

    First reported: 06.04.2026 22:19
    1 source, 1 article
    Show sources