There is a new unpatched Windows local privilege escalation vulnerability in the wild this week — and unusually, it comes with a working proof-of-concept already published on GitHub.
The researcher behind it, operating under the alias "Chaotic Eclipse," disclosed BlueHammer on April 3rd, citing frustration with Microsoft’s security response process. The exploit has already attracted over 300 stars and 100+ forks on GitHub. Independent researchers have confirmed it works against fully patched Windows 10 and Windows 11 systems.
There is no patch. There is no CVE. And the clock is ticking.
What BlueHammer Does
BlueHammer is a local privilege escalation (LPE) exploit. It works by abusing the interaction between four legitimate, well-documented Windows components: Microsoft Defender’s update process, the Volume Shadow Copy Service (VSS), the Cloud Files API, and opportunistic locks.
The combination creates a time-of-check to time-of-use (TOCTOU) race condition and path confusion that allows a low-privileged local user to access the Security Account Manager (SAM) database — the file that stores NTLM password hashes for all local accounts on the machine.
With SAM access, an attacker can extract those hashes and use pass-the-hash techniques to escalate to NT AUTHORITYSYSTEM. Full machine compromise, from a standard-looking local account, on a fully patched machine.
Researchers have confirmed reliable execution on Windows 10 and Windows 11 client systems. Behaviour on Windows Server editions has been inconsistent, but that should not be treated as a meaningful protection.
The Catch — And Why It Still Matters
BlueHammer requires local access. An unauthenticated remote attacker cannot simply point this at your network. The attacker needs to already be running code on the target machine as a low-privileged user.
That might sound reassuring. It is not.
Consider how attackers typically reach that point:
- A phishing email leads a user to run a malicious attachment
- A malicious browser extension quietly installs a payload (a pattern we covered recently)
- A compromised MSI installer drops a low-privilege implant
- A stolen credential gives access via remote desktop
In all of those scenarios, the attacker starts as a low-privileged user. Without BlueHammer, they are limited in what they can do next. With BlueHammer, they are SYSTEM in seconds — with access to every local credential hash on the machine.
Why Local Admin Rights Make This Worse
BlueHammer is specifically designed to bridge the gap between "logged in as a standard user" and SYSTEM. That gap is exactly what least privilege is supposed to maintain.
If your users already have local admin rights, that gap barely exists before BlueHammer. An attacker who lands on their machine already has most of what they need. BlueHammer is just a slight convenience on top of an already dangerous footing.
But if your users are standard users, BlueHammer is now the tool that closes that gap for an attacker — and that is a meaningful argument for not waiting any longer to move toward least privilege across your endpoints.
The current breakout time landscape — attackers moving from initial access to lateral movement in minutes — means every layer of friction matters. A standard user without BlueHammer can be contained. A standard user with BlueHammer can escalate to SYSTEM. A local admin was already the higher-value target before this exploit existed.
What You Can Do Right Now
There is no patch yet, and it is unclear when Microsoft will ship one. In the meantime:
- Monitor for VSS enumeration from user-space processes. Unexpected calls targeting HarddiskVolumeShadowCopy objects from non-system, non-backup processes are a direct behavioural fingerprint of BlueHammer-style activity. This pattern has no legitimate use case outside of system and backup tooling.
- Watch for unexpected Cloud Files sync root registrations from low-privileged accounts — another indicator the exploit chain may be in progress.
- Alert on low-privileged accounts spawning Windows services unexpectedly. This is a late-stage signal that escalation may already be underway.
- Audit who has local admin rights today. If you do not have a current, accurate picture of your local admin footprint, now is a good moment to get one.
- Prioritise removing local admin rights from accounts that do not need them. A standard user still requires BlueHammer to execute and be detected — you have more time and more options than you would with a local admin.
The Bigger Picture
BlueHammer is the latest in a consistent pattern. January’s Patch Tuesday included 58 Windows privilege escalation bugs. February had 25 more. CVE-2026-26117 showed how a Windows LPE could reach across into cloud identity. The attack surface for privilege escalation on Windows is large, active, and regularly producing new paths.
None of that means Windows is uniquely broken. It means least privilege is not a nice-to-have. Keeping users as standard users does not make BlueHammer disappear — but it forces attackers to execute it, which takes time, generates detectable signals, and gives defenders a window to act.
That window does not exist when users are already local admins.
Running Legacy Apps That Still Need Elevation?
If the thing standing between you and removing local admin rights is a handful of legacy or specialist applications that break without elevated permissions, that is exactly the problem Elevator is designed to solve.
Elevator is a lightweight Windows utility that elevates just the applications you approve — automatically and silently — while keeping your users as standard users everywhere else. No more "they need local admin for that one app." No more admin credentials typed into UAC prompts.
