Full Report
Exploit code has been released for an unpatched Windows privilege escalation flaw reported privately to Microsoft, allowing attackers to gain SYSTEM or elevated administrator permissions. [...]
Analysis Summary
# Vulnerability: BlueHammer Windows Local Privilege Escalation (Zero-Day)
## CVE Details
- **CVE ID**: Pending (No CVE assigned as of April 6, 2026)
- **CVSS Score**: Estimated 7.8 (High) - based on typical LPE metrics
- **CWE**: CWE-367 (Time-of-check Time-of-use / TOCTOU), CWE-444 (Path Confusion)
## Affected Systems
- **Products**: Microsoft Windows
- **Versions**: Confirmed on Windows Desktop/Client versions; Windows Server (limited success reported due to exploit bugs). Specific build numbers are not yet detailed by the vendor.
- **Configurations**: Local access to the system is required.
## Vulnerability Description
BlueHammer is a Local Privilege Escalation (LPE) flaw that arises from a combination of a Time-of-Check to Time-of-Use (TOCTOU) race condition and a path confusion vulnerability. The flaw allows a local, low-privileged user to gain unauthorized access to the Security Account Manager (SAM) database. By accessing the SAM database, an attacker can extract password hashes for local accounts or manipulate system files to spawn a shell with SYSTEM-level privileges.
## Exploitation
- **Status**: PoC available; Publicly disclosed as a zero-day.
- **Complexity**: High (The PoC is reportedly "buggy" and requires specific timing/conditions to work reliably).
- **Attack Vector**: Local (Requires previous access to the machine).
## Impact
- **Confidentiality**: High (Access to SAM database and password hashes).
- **Integrity**: High (Ability to modify system-level files and settings).
- **Availability**: High (Ability to compromise the entire machine potentially leading to system instability or lockout).
## Remediation
### Patches
- **None**: As of the report date, Microsoft has not released an official patch for this vulnerability.
### Workarounds
- **Strict Access Control**: Limit local access to critical systems and ensure the principle of least privilege is strictly enforced.
- **UAC Policies**: On Windows Server, the exploit currently only elevates from non-admin to elevated administrator; ensuring robust User Account Control (UAC) settings may provide a layer of defense.
- **Endpoint Monitoring**: Increase surveillance on processes attempting to access the SAM database outside of expected system operations.
## Detection
- **Indicators of Compromise**:
- Unexpected access or modification attempts to `%SystemRoot%\System32\config\SAM`.
- Spawning of `cmd.exe` or `powershell.exe` with `SYSTEM` privileges from a low-privileged parent process.
- **Detection Methods**: Use EDR (Endpoint Detection and Response) tools to monitor for TOCTOU-related file system patterns or symbolic link manipulations used to confuse file paths.
## References
- **BleepingComputer**: hxxps[://]www[.]bleepingcomputer[.]com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/
- **Researcher Disclosure**: hxxps[://]deadeclipse666[.]blogspot[.]com/2026/04/public-disclosure[.]html
- **Analyst Commentary (Will Dormann)**: hxxps[://]infosec[.]exchange/@wdormann/116358064691025711