This post is for educational and research purposes only. Do not attempt to reproduce or run this exploit on any production, personal, or unauthorized systems. Doing so may violate laws and expose you to legal risks. The vulnerability is patched. always keep your Defender and Windows updated. I strongly recommend running experiments only in isolated virtual machines with proper snapshots. Stay ethical and responsible.
BlueHammer (CVE-2026-33825) is a beautiful and scary example of how legitimate Windows features can be chained together for Local Privilege Escalation from a standard user all the way to NT AUTHORITY\SYSTEM.
The Story
On April 3, 2026, a researcher known as Chaotic Eclipse publicly released a working PoC after growing frustrated with Microsoft’s coordinated disclosure process. No CVE at first and no patch. It is a true zero-day with full exploit code.
Microsoft eventually assigned CVE-2026-33825 and fixed it in the April 2026 Patch Tuesday via a Defender Antimalware Platform update for version 4.18.26050.3011 or newer.
The exploit was quickly used in the wild, and the community even improved the original PoC.
How it works
This isn’t a memory corruption or kernel exploit. It’s a TOCTOU race condition combined with clever abuse of trusted Windows components such as
- VSS
- oplocks
- cloud files API
- NTFS Junctions
- Defender remediation pipeline
Detailed step-by-step flow based on public analyses of the PoC
- The exploit queries the Windows Update Agent COM interfaces to check for a pending Microsoft Defender Antivirus definition update. This is a prerequisite cuz the vulnerable remediation workflow only triggers reliably during signature updates
- Trigger Defender Remediation and VSS Snapshot
- Drop a detectable test file (EICAR-like string in
foo.exeor similar) in a temporary directory to force real time protection scanning
Place a batch oplock onRstrtMgr.dllwhich is a DLL Defender accesses during remediation - When Defender touches the file, the oplock breaks, signaling activity
- A background thread polls
\\DeviceviaNtQueryDirectoryObjectto detect the newHarddiskVolumeShadowCopy*device created by VSS
- Drop a detectable test file (EICAR-like string in
- Register Cloud Files Sync Root
- Register the current directory as a Cloud Files sync root using
CfRegisterSyncRootandCfConnectSyncRoot - Drop a placeholder .lock file. When Defender enumerates the directory and accesses it, the
CF_CALLBACK_TYPE_FETCH_PLACEHOLDERScallback fires. - The callback checks the caller PID to confirm it’s the
WinDefend / MsMpEng.exe(SYSTEM) process. - Immediately acquire a second batch oplock on the .lock file and hold it. Defender blocks on
GetOverlappedResult, stalling the process while the VSS snapshot remains mounted.
- Register the current directory as a Cloud Files sync root using
- Path Redirection
- With Defender paused, manipulate the filesystem
- Set an oplock on a key update file like
mpasbase.vdmin the temporary update directory. - When triggered, rename/move the update directory.
- Recreate the directory as an NTFS junction pointing to a controlled location
- Create an Object Manager symbolic link inside it pointing to the VSS snapshot path of the protected registry hive
- Set an oplock on a key update file like
- this creates TOCTOU.
- With Defender paused, manipulate the filesystem
- Privileged Read
- Defender resumes its operation and running as SYSTEM, reads the SAM database from the VSS snapshot. The exploit receives the contents
- Credential Extraction
- Reconstruct the boot key from the SYSTEM hive.
- Decrypt LSA secrets and extract NTLM hashes from the SAM hive.
- Use
SamiChangePasswordUserto change the local Administrator password temporarily. - Log on with the new credentials, duplicate the token, elevate integrity to
SYSTEM. - Create a temporary Windows service to spawn a cmd.exe running as
NT AUTHORITY\SYSTEM. - Restore the original password to clean up traces.
The entire chain relies on precise timing and native Windows features.
Actions that you must take immediately
- Update Microsoft Defender Antimalware Platform to version 4.18.26050.3011 or higher.
- Enable ASR rules. official Microsoft ASR documentation
- Use standard user accounts for daily work and isolate test machines.
Update your system NOW if you haven’t.
If you attempt to run the publicly available proof-of-concept code on a fully updated system , the exploit will fail to achieve privilege escalation.
As shown below, instead of spawning an escalated shell, the payload will simply hang in an infinite loop because the underlying race condition has been neutralized:

Further Research
Cyderes: BlueHammer Vulnerability Deep-Dive
Vectra AI: When the Defender Becomes the Door
MSRC: CVE-2026-33825 Security Advisory
The End
www.pcl2.top

Leave a Reply