A zero-day local privilege escalation vulnerability in Microsoft Windows β publicly disclosed on 3 April 2026 and named BlueHammer by the Cyderes research team β gives any authenticated user a reliable path to SYSTEM-level privileges. As of 10 April 2026, Microsoft has not released a patch. A working public exploit is available on GitHub, and active exploitation attempts have been observed in the wild by multiple threat intelligence teams monitoring post-compromise activity in enterprise environments.
The Vulnerability
BlueHammer exploits a time-of-check to time-of-use (TOCTOU) race condition combined with a path-confusion issue in the Windows Defender antimalware signature-update mechanism. During the signature update process, the Windows Defender service writes temporary update packages to a predictable staging path before moving them to their final destination. By precisely timing a file system operation to substitute the temporary file between check and use, an attacker can redirect the update mechanism to load an attacker-controlled DLL under the security context of the Defender service β which runs as SYSTEM.
The attack chain proceeds in three stages. First, the attacker triggers a Defender signature update (which can be done by any authenticated user via the standard update command or WMI). Second, they exploit the race condition to substitute the temporary staging file with a crafted payload. Third, the Defender service loads and executes the malicious DLL with SYSTEM privileges. From this SYSTEM shell, the attacker can access the Security Account Manager (SAM) database directly, dump NTLM credential hashes, and perform pass-the-hash attacks to establish persistence or move laterally.
Cyderes researchers note that the TOCTOU window, while narrow, is exploitable reliably on modern hardware due to predictable timing in the Defender update scheduler. More concerning: the signature-update mechanism can be bypassed with minimal recompilation, meaning detection signatures targeting the proof-of-concept tool can be circumvented by threat actors within hours of a new signature release.
Affected Systems
BlueHammer affects Windows 10 (all supported editions), Windows 11 (all editions), and Windows Server 2016, 2019, and 2022. Windows Server 2012 R2 in extended security update status may also be affected. The vulnerability requires only an authenticated local user account β no elevated privileges are needed to trigger the exploit. In practice, the attack is most effective as a post-exploitation step following initial access via phishing, credential stuffing, or web-application compromise.
Current Exploitation Activity
Security operations centres began observing exploitation attempts as early as 5 April 2026, two days after the initial public disclosure. The observed pattern is consistent with post-exploitation use: attackers with low-privilege footholds use BlueHammer to escalate to SYSTEM before dumping credentials and moving laterally. Cyderes and SC World have documented two confirmed incidents where BlueHammer preceded ransomware precursor activity β specifically, the mass credential collection phase that typically occurs 24β72 hours before encryption is deployed.
The public exploit code is fully weaponised and requires no modification to operate against unpatched systems, substantially lowering the barrier for criminal groups beyond the sophisticated threat actors typically capable of weaponising zero-days independently.
Recommended Actions
- Monitor for Defender signature update anomalies. Alert on unexpected file writes to the Windows Defender temporary update staging path from processes other than MsMpEng.exe or the Windows Update service. This is the most direct detection signal for BlueHammer exploitation attempts.
- Alert on abnormal child processes from MsMpEng.exe. Any process spawned by the Windows Defender engine with SYSTEM privileges outside of the expected update and scan behaviour warrants immediate investigation.
- Review SAM access events. Alert on any process other than LSASS reading
C:\Windows\System32\config\SAMoutside of domain backup operations. Direct SAM reads are a high-confidence indicator of credential theft. - Apply the patch immediately upon release. Track the Microsoft Security Response Center for CVE assignment and advisory publication. Given active exploitation, an out-of-band patch is likely.
- Consider Controlled Folder Access as a compensating control to limit DLL write access to sensitive system directories pending the patch. This does not fully mitigate the vulnerability but raises the exploitation complexity.
- Implement LAPS or privileged access workstations in environments where local NTLM hash theft poses a lateral movement risk β BlueHammerβs SAM access is most valuable to attackers where local administrator hashes are reused across systems.