Deep-Dive into CVE-2026-33825: Understanding the BlueHammer Vulnerability

The proof-of-concept (PoC) for CVE-2026-33825 (BlueHammer) includes a filestoleak array targeting the Windows SAM file, with two additional credential files (SYSTEM and SECURITY) commented out. The SAM file alone provides only partial credential data, while uncommenting SYSTEM and SECURITY would enable full NTLM hash extraction, LSA secrets, and DPAPI master keys. The post also notes technical details like the use of a batch oplock on RstrtMgr.dll, a namespace redirect via NtCreateSymbolicLinkObject, and an undocumented RPC endpoint (IMpService) to trigger the exploit without elevated privileges.