Windows BlueHammer Zero-Day Lets Attackers Gain SYSTEM Access

Microsoft is dealing with a newly disclosed zero-day vulnerability in Windows that could allow attackers to gain full system control, with no official fix available yet.

The flaw, called BlueHammer, combines multiple techniques to bypass security protections and escalate privileges to the highest level on affected systems.

BlueHammer zero-day exposes Windows systems to SYSTEM-level attacks

According to Bleeping Computer, the BlueHammer vulnerability is a Local Privilege Escalation (LPE) flaw that leverages a combination of time-of-check to time-of-use (TOCTOU) issues and path confusion bugs.

The exploit was discovered and publicly released by security researcher Chaotic Eclipse, who cited frustration with Microsoft’s disclosure handling as the reason for publishing proof-of-concept code on GitHub.

An exploit allows access to password hashes and full system control

If successfully executed, the exploit can grant attackers access to the Security Account Manager (SAM) database, exposing password hashes and enabling privilege escalation to the SYSTEM level.

At that point, attackers can run commands with the highest privileges, effectively taking full control of the compromised machine.

Not remote, but still dangerous in real-world attacks

The vulnerability requires local access first, meaning attackers must already have a foothold on the system through methods like phishing, social engineering, or stolen credentials.

Even so, once access is gained, BlueHammer can be used to quickly escalate privileges and deepen the compromise.

The proof-of-concept is not entirely reliable and may fail in some scenarios, but it still demonstrates a viable attack path.

Behavior varies between Windows and Windows Server

Testing shows that the exploit works more reliably on standard Windows systems, where it can achieve full SYSTEM-level access.

On Windows Server environments, the same exploit may only elevate privileges to the administrator level instead of full SYSTEM control.

Microsoft is investigating as a public exploit spreads

Microsoft has acknowledged the issue and confirmed it is investigating the vulnerability, while also reiterating its stance on coordinated disclosure practices.

At the time of writing, no patch or official mitigation has been released.

In other security developments, Microsoft recently warned users about Medusa ransomware activity, while attackers have also been distributing malware on GitHub disguised as leaked Anthropic Claude code. Meanwhile, Google has already moved quickly to patch a separate Chrome zero-day vulnerability.