Researcher Released Windows Defender 0-Day Exploit Code, Allowing Attackers to Gain Full Access

A security researcher operating under the alias Chaotic Eclipse (@ChaoticEclipse0) has publicly dropped a working zero-day local privilege escalation (LPE) exploit for Windows, dubbed BlueHammer, along with full proof-of-concept (PoC) source code on GitHub.

The disclosure was confirmed by vulnerability researcher Will Dormann, who noted that the exploit works and that Microsoft’s own security response process may have directly caused this uncoordinated release.

BlueHammer is a Windows zero-day LPE exploit that allows a low-privileged local user to escalate their access to NT AUTHORITYSYSTEM the highest privilege level on a Windows machine.

A screenshot shared alongside the disclosure dramatically demonstrates the impact: a command prompt launched from C:UserslimitedDownloads> — clearly a restricted user account — achieves a full SYSTEM shell within seconds, with whoami confirming nt authoritysystem.

The exploit output also reveals credential-harvesting capabilities, displaying NTLM password hashes for local accounts, including an administrative user with IsAdmin: TRUE, and confirmations of SYSTEMShell: OK, Shell: OK, and PasswordRestore: OK.

The compromised system is running Windows 11 (Build 10.0.26200.8037), indicating the vulnerability affects modern, fully updated Windows installations.

The researcher cited frustration with Microsoft’s Security Response Center (MSRC) as the primary motivation behind the uncoordinated public disclosure.

According to Chaotic Eclipse, MSRC’s quality has significantly deteriorated in recent years, attributing the decline to Microsoft laying off experienced security personnel and replacing them with staff who follow rigid procedural flowcharts rather than exercising informed judgment.

A particularly pointed detail in the disclosure: MSRC reportedly required the researcher to submit a video demonstration of the exploit as part of the vulnerability reporting process, a requirement that many in the security community have found unusual and demanding.

The researcher suggests this demand may have been a deliberate friction point that ultimately led to the case being closed or stalled without resolution.

This type of disclosure, sometimes called a full drop or uncoordinated disclosure, is increasingly common when researchers feel their reports are being dismissed or mishandled by vendors. It places immediate pressure on the vendor to act, but also puts users at risk before a fix is available.

Chaotic Eclipse noted that the exploit does not work with 100% reliability, but acknowledged it functions “well enough” to be operationally useful. In the hands of a skilled threat actor, even a partially reliable LPE exploit can be refined and weaponized.

Ransomware groups and APT actors frequently integrate publicly released PoC code into their toolkits within days of disclosure.

Mitigations

Until Microsoft issues an official patch or mitigation advisory, security teams should take the following precautionary steps:

• Monitor endpoint detection and response (EDR) tools for unusual privilege escalation activity
• Restrict local user permissions to the minimum required for operations
• Apply enhanced logging on Windows systems to detect anomalous SYSTEM-level process spawning
• Watch for a Microsoft Security Update or advisory addressing the BlueHammer vulnerability

Microsoft has not yet issued a public statement or CVE assignment for this vulnerability at the time of publication.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.