Exploit code has been released for an unpatched Windows privilege escalation flaw reported privately to **Microsoft**, allowing attackers to gain SYSTEM or elevated administrator permissions. # BlueHammer: An Unpatched Windows Zero-Day Dubbed **BlueHammer**, the vulnerability was published by a security researcher discontent with how **Microsoft’s Security Response Center (MSRC)** handled the disclosure process. Since the security issue has no official patch and there is no update to address it, the flaw is considered a zero-day by **Microsoft's** definition. It is unclear what triggered the public release of the exploit code. In a short post under the alias Chaotic Eclipse, the researcher says "I was not bluffing Microsoft, and I'm doing it again." “Unlike previous times, I'm not explaining how this works; y'all geniuses can figure it out. Also, huge thanks to MSRC leadership for making this possible,” the researcher added. # Public Disclosure on GitHub On April 3rd, Chaotic Eclipse published a GitHub repository for the **BlueHammer** vulnerability exploit under the alias Nightmare-Eclipse, expressing disbelief and frustration at how **Microsoft** decided to address the security issue. "I'm just really wondering what was the math behind their decision, like you knew this was going to happen and you still did whatever you did ? Are they serious ?" The researcher also noted that the proof-of-concept (PoC) code contains bugs that may prevent it from working reliably. # Technical Analysis of the Exploit Will Dormann, principal vulnerability analyst at Tharros (formerly Analygence), confirmed to BleepingComputer that the **BlueHammer** exploit works, saying that the flaw is a local privilege escalation (LPE) that combines a TOCTOU (time-of-check to time-of-use) and a path confusion. He explained that the issue is not easy to exploit and that it gives a local attacker access to the Security Account Manager (SAM) database, which contains password hashes for local accounts. Given this access, attackers can escalate to SYSTEM privileges and potentially achieve complete machine compromise. “At that point, [the attackers] basically own the system, and can do things like spawn a SYSTEM-privileged shell,” Dormann told BleepingComputer.  Some researchers testing the exploit confirmed that the code was not successful on Windows Server, confirming Chaotic Eclipse's statement that there are bugs that may prevent it from working properly. Will Dormann added that on the Server platform, the **BlueHammer** exploit increases permissions from non-admin to elevated administrator, a protection that requires the user to temporarily authorize an operation that needs full access to the system. # MSRC's Vulnerability Reporting Process While the reason behind Chaotic Eclipse/Nightmare-Eclipse's disclosure remains uncertain, Dormann notes that one requirement from **MSRC** when submitting a vulnerability is to provide a video of the exploit. Although this may help **Microsoft** sift through reported vulnerabilities more easily, it adds to the effort of submitting a valid report. # Mitigation and Risk Despite **BlueHammer** requiring a local attacker to exploit it, the risk it poses is still significant, as hackers can gain local access through a variety of vectors, including social engineering, leveraging other software vulnerabilities, or through credential-based attacks. BleepingComputer has contacted **Microsoft** for a comment on the **BlueHammer** flaw, and a spokesperson sent us the below statement: "Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible. We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community." – a Microsoft spokesperson *Article updated on 4/7 to add Microsoft comment*