Unpatched Windows zero-day "BlueHammer" leaked after researcher's dispute with Microsoft - exploit code public, no fix available

A frustrated security researcher published working exploit code for an unpatched Windows local privilege escalation flaw after Microsoft's Security Response Center mishandled the disclosure. The researcher, posting as Chaotic Eclipse, dropped the proof-of-concept on GitHub on April 3 with the message "I was not bluffing Microsoft." Will Dormann of Tharsos confirmed the exploit works - it combines a TOCTOU race condition with path confusion to access the SAM database containing local account password hashes, enabling escalation to SYSTEM privileges. The exploit is confirmed working on Windows desktop but unreliable on Windows Server. The researcher deliberately included bugs in the PoC, but the underlying technique is now public and weaponizable.

Check

Assess your Windows endpoint fleet's exposure. This is a local privilege escalation - it requires an attacker to already have local access, making it a post-compromise escalation tool.

Affected

Windows desktop systems (Windows 10, Windows 11). Windows Server appears less affected - testing shows the exploit is unreliable on Server editions. No CVE has been assigned yet.

Fix

No patch available - this is an unpatched zero-day. Mitigate by restricting local user permissions to minimum necessary, monitoring EDR for unusual privilege escalation and SAM database access attempts, and hardening against the initial access vectors (phishing, stolen credentials) that would give attackers the local foothold they need. Watch for a Microsoft patch in an upcoming Patch Tuesday or out-of-band update.