John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
There’s a working Windows privilege escalation exploit on GitHub right now. No patch. No CVE. No timeline from Microsoft.
A researcher going by “Chaotic Eclipse” published proof-of-concept code on April 3 for a vulnerability called BlueHammer. It combines a race condition with a path confusion bug to access the Windows SAM database, where local password hashes live. From there, it’s a straight shot to SYSTEM on Windows 10 and 11. On Server, it tops out at elevated admin, which is still not great.
The researcher’s frustration with Microsoft is barely concealed: “I was not bluffing Microsoft, and I’m doing it again.” And then the twist: “huge thanks to MSRC leadership for making this possible.”
Will Dormann, one of the most trusted vulnerability analysts in the business, confirmed it works. His take: not easy to exploit, but real. The PoC has bugs that may keep it from firing reliably right now. But “buggy but real” has a way of becoming “reliable” once enough people start poking at it.
Local privilege escalation is the workhorse of post-compromise operations. Ransomware operators, APT groups, opportunistic criminals: they all need to get from a low-privilege foothold to SYSTEM. A public, unpatched LPE for the most widely deployed desktop OS on earth is a gift to every one of them.
Monitor MSRC for an emergency advisory. Look for unusual SAM access patterns on your endpoints.