New Defender zero‑day: BlueHammer

BlueHammer is a newly public Windows zero-day that lets a low-privileged user turn local access into full SYSTEM control on machines running Microsoft Defender. (bleepingcomputer.com) Microsoft Defender updates its malware signatures automatically, and BlueHammer targets that update path rather than a phishing email or a browser bug. Researchers said the exploit abuses Defender’s signature-update mechanism to elevate privileges on fully patched Windows 11 systems. (learn.microsoft.com) (cyderes.com) The proof-of-concept code was posted to GitHub on April 3, 2026, by a researcher using the names Chaotic Eclipse and Nightmare-Eclipse. Help Net Security reported the leak on April 8, and BleepingComputer said the exploit had no patch as of April 6. (helpnetsecurity.com) (bleepingcomputer.com) In plain terms, this is a “local privilege escalation” flaw: an attacker already on the computer can use it to jump from ordinary user rights to the operating system’s highest level. Security Boulevard said the bug combines a time-of-check, time-of-use race condition with path confusion, and Will Dormann said the published exploit works. (securityboulevard.com) (helpnetsecurity.com) That matters on shared workstations, remote access servers, developer boxes, and any machine where an intruder can first land with a stolen password, malware, or a limited account. RH-ISAC said BlueHammer can expose the Security Account Manager database, which stores local password hashes, and help an attacker move to SYSTEM or elevated administrator rights. (rhisac.org) The timing is tightening pressure because the flaw is still public and unpatched on Sunday, April 12, 2026, two days before Microsoft’s next Patch Tuesday on April 14. Help Net Security flagged BlueHammer in its April 12 Patch Tuesday forecast, and multiple outlets said no Common Vulnerabilities and Exposures identifier had been assigned. (helpnetsecurity.com) (cyderes.com) The dispute around disclosure is part of the story. Dark Reading said Microsoft responded by saying it investigates reported security issues and supports coordinated vulnerability disclosure, while coverage from WinBuzzer and other outlets said the researcher published after a breakdown with Microsoft Security Response Center. (darkreading.com) (winbuzzer.com) Researchers also said Defender detections are not the same thing as a fix. Cyderes reported Microsoft pushed a signature that detects the original binary, but said a simple recompile bypassed that detection, leaving the underlying privilege-escalation technique intact. (cyderes.com) For defenders, the immediate work is less about antivirus scans and more about reducing who can run code locally, checking for unusual privilege changes, and preparing to test Microsoft’s next updates quickly. Until Microsoft ships a patch, BlueHammer remains a public recipe for turning a foothold into full control. (rhisac.org) (helpnetsecurity.com)