BlueHammer is an unpatched zero-day in Windows Defender that lets a low-privileged local user escalate to NT AUTHORITY\SYSTEM without any kernel exploit or memory corruption. No CVE has been assigned. No patch exists as of April 2026.

Vulnerability Name: BlueHammer
Status: Unpatched zero-day
Affected: Windows 10, Windows 11
CVE: None assigned
Discovered by: Cyderes Howler Cell (April 7, 2026)

How It Works

The flaw is a TOCTOU (Time-Of-Check-Time-Of-Use) race condition in how Defender, Volume Shadow Copy Service (VSS), Cloud Files callbacks, and opportunistic locks interact.

Defender creates and exposes a VSS snapshot before it finishes the operation and before it holds exclusive control. An attacker with local access freezes Defender at that moment using Cloud Files APIs and oplocks, then reads the normally-locked SAM, SYSTEM, and SECURITY registry hives from the shadow copy. Those hives contain local account password hashes.

Defender has a detection signature (Exploit:Win32/DfndrPEBluHmr.BB) but it doesn't address the underlying architectural flaw. A proof-of-concept is publicly available on GitHub.

What You Can Do Now

No patch is available. Mitigate with detection and least privilege hardening.

Enforce least privilege. Restrict user access to Cloud Files APIs and VSS interfaces. Standard users don't need either.

Monitor for these behaviors:

  • VSS enumeration from non-system processes: alert on NtQueryDirectoryObject targeting HarddiskVolumeShadowCopy* from user-space processes
  • CfRegisterSyncRoot calls from processes outside known sync tools (OneDrive, Dropbox, Box)
  • Low-privileged processes calling CreateService or acquiring SYSTEM-integrity tokens
  • Event IDs 4723/4724 (local Administrator password changes) firing in rapid succession

These are high-confidence indicators. VSS enumeration from user-space has no legitimate use outside backup tools.

Watch Microsoft's Response

Track the official advisory at the Microsoft Security Response Center for patch availability. When a fix ships, patch immediately given the public PoC.

References

Need help hardening your Windows endpoints? Contact Rain City Techworks.