Windows Zero‑Day Released

Windows has a lock on the front door and another one on the utility closet. BlueHammer is the kind of bug that starts with a user who already got inside and then hands them the master key. (pcworld.com) That kind of bug is called local privilege escalation. “Local” means the attacker already has code running on the machine, and “privilege escalation” means turning a low-level account into an administrator or the NT AUTHORITY\SYSTEM account that outranks almost everything else on Windows. (kudelskisecurity.com) The NT AUTHORITY\SYSTEM account is Windows’ housekeeper, locksmith, and building manager rolled into one. If malware reaches that level, it can change protected files, create accounts, dump password material, and survive cleanup attempts that would remove ordinary malware. (kudelskisecurity.com) BlueHammer reportedly does not smash through the Windows kernel with memory corruption. Researchers say it chains together normal Windows features so that Microsoft Defender’s own update workflow performs privileged actions on paths the attacker controls. (cyderes.com) One piece of that chain is a time-of-check to time-of-use race condition. That means Windows checks one file or path, then uses it a moment later, and an attacker wins if they swap the target during that tiny gap. (pcworld.com) (kudelskisecurity.com) Another piece is path confusion. In plain English, the system thinks it is walking to one room in the house, but symbolic links, junctions, or reparse points quietly redirect it to another room with more valuable files. (kudelskisecurity.com) Researchers also describe BlueHammer using opportunistic locks and the Windows Cloud Files programming interface to freeze Defender at exactly the right step. That pause appears to leave a Volume Shadow Copy snapshot mounted long enough for normally locked registry files such as SAM, SYSTEM, and SECURITY to become reachable. (cyderes.com) Those registry hives matter because the SAM database stores local account data and password hashes. Cyderes says a successful run can read those files, decrypt NT LAN Manager password hashes, take over a local administrator account, and then launch a SYSTEM-level shell. (cyderes.com) The news is that the exploit is no longer private. Multiple outlets reported on April 7 and April 8, 2026, that a researcher using the alias Chaotic Eclipse publicly released BlueHammer proof-of-concept code for an unpatched Windows flaw. (bleepingcomputer.com) (pcworld.com) (techrepublic.com) The dispute appears to have started in Microsoft’s vulnerability reporting process. Cyderes and other reports say the researcher became frustrated with the Microsoft Security Response Center after being asked for a video demonstration and then published the code on GitHub on April 3, 2026, without a patch or a Common Vulnerabilities and Exposures identifier in place. (cyderes.com) (securityaffairs.com) Independent researchers say the exploit works, which is the part defenders worry about most. BleepingComputer reported that Will Dormann confirmed the proof of concept was functional, while Kudelski Security described it as operationally viable even if timing makes exploitation imperfect. (bleepingcomputer.com) (kudelskisecurity.com) Microsoft had not issued a patch as of April 8, 2026, according to the reporting and security write-ups available today. Microsoft told PCWorld it investigates reported security issues and supports coordinated vulnerability disclosure, but the company did not announce a fix in that statement. (pcworld.com) (cyderes.com) That leaves defenders in the awkward stage between disclosure and repair. Kudelski Security recommends least privilege, restricting local and interactive access, and monitoring Microsoft Defender update behavior, because BlueHammer still requires an attacker to run code as a low-privileged user before they can climb higher. (kudelskisecurity.com) The immediate risk is not that BlueHammer jumps across the internet by itself. The risk is that it becomes the second move in an intrusion, where a phishing email, stolen account, or cheap initial foothold is followed by a fast jump to administrator or SYSTEM on a fully patched Windows machine. (kudelskisecurity.com) (techrepublic.com) BlueHammer is a reminder that modern attacks often win by choreographing trusted components instead of breaking one obvious thing. In this case, the reports point to Microsoft Defender, Volume Shadow Copy, file-system redirection, and timing tricks lining up just well enough to turn a routine update process into a privilege escalator. (cyderes.com) (kudelskisecurity.com)