Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit

Summary

A disgruntled security researcher operating under aliases Chaotic Eclipse and Nightmare-Eclipse has publicly released exploit code for an unpatched Windows local privilege escalation flaw (BlueHammer) after expressing frustration with Microsoft's Security Response Center disclosure handling. The vulnerability combines TOCTOU and path confusion flaws, allowing local attackers to access the SAM database and escalate to SYSTEM privileges for complete machine compromise. While the PoC code contains bugs limiting reliability, the flaw remains unpatched and poses significant risk if attackers gain initial local access through social engineering, credential attacks, or other exploits.

Full text

Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit By Bill Toulas April 6, 2026 03:19 PM 0 Exploit code has been released for an unpatched Windows privilege escalation flaw reported privately to Microsoft, allowing attackers to gain SYSTEM or elevated administrator permissions. Dubbed BlueHammer, the vulnerability was published by a security researcher discontent with how Microsoft’s Security Response Center (MSRC) handled the disclosure process. Since, the security issue has no official patch and there is no update to address it, the flaw is considered a zero-day by Microsoft's definition. It is unclear what triggered the public release of the exploit code. In a short post under the alias Chaotic Eclipse, the researcher says "I was not bluffing Microsoft, and I'm doing it again." “Unlike previous times, I'm not explaining how this works; y'all geniuses can figure it out. Also, huge thanks to MSRC leadership for making this possible,” the researcher added. On April 3rd, Chaotic Eclipse published a GitHub repository for the BlueHammer vulnerability exploit under the alias Nightmare-Eclipse, expressing disbelief and frustration at how Microsoft decided to address the security issue. "I'm just really wondering what was the math behind their decision, like you knew this was going to happen and you still did whatever you did ? Are they serious ?" The researcher also noted that the proof-of-concept (PoC) code contains bugs that may prevent it from working reliably. Will Dormann, principal vulnerability analyst at Tharros (formerly Analygence), confirmed to BleepingComputer that the BlueHammer exploit works, saying that the flaw is a local privilege escalation (LPE) that combines a TOCTOU (time-of-check to time-of-use) and a path confusion. He explained that the issue is not easy to exploit and that it gives a local attacker access to the Security Account Manager (SAM) database, which contains password hashes for local accounts. Given this access, attackers can escalate to SYSTEM privileges and potentially achieve complete machine compromise. “At that point, [the attackers] basically own the system, and can do things like spawn a SYSTEM-privileged shell,” Dormann told BleepingComputer. Exploit demoSource: Will Dormann Some researchers testing the exploit confirmed that the code was not successful on Windows Server, confirming Chaotic Eclipse's statement that there are bugs that may prevent it from working properly. Will Dormann added that on the Server platform, the BlueHammer exploit increases permissions from non-admin to elevated administrator, a protection that requires the user to temporarily authorize an operation that needs full access to the system. While the reason behind Chaotic Eclipse/Nightmare-Eclipse's disclosure remains uncertain, Dormann notes that one requirement from MSRC when submitting a vulnerability is to provide a video of the exploit. Although this may help Microsoft sift through reported vulnerabilities more easily, it adds to the effort of submitting a valid report. Despite BlueHammer requiring a local attacker to exploit it, the risk it poses is still significant, as hackers can gain local access through a variety of vectors, including social engineering, leveraging other software vulnerabilities, or through credential-based attacks. BleepingComputer has contacted Microsoft for a comment on the BlueHammer flaw, but we did not receive a response by publication time. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flawsMicrosoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flawsTelegram channels expose rapid weaponization of SmarterMail flawsGoogle says 90 zero-days were exploited in attacks last yearAction1 vs. Microsoft WSUS: A Better Approach to Modern Patch Management

Indicators of Compromise

• malware — BlueHammer

Entities