Security News New Windows LegacyHive zero-day gives hackers admin privileges

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,058
5,640
2,168
Germany
A security researcher using the "Nightmare Eclipse" handle has released a Windows zero-day exploit dubbed LegacyHive that allows attackers to escalate privileges on up-to-date Windows systems.

Nightmare Eclipse published a proof-of-concept (PoC) exploit hours after Microsoft released its July 2026 Patch Tuesday updates, saying that it abuses a security vulnerability in the Windows User Profile Service, which has yet to receive a CVE ID for easier tracking.

However, unlike previous exploits released by NightmwareEclipse, the LegacyHive PoC has been modified to require additional credentials, making it harder for attackers to weaponize the vulnerability.

"The PoC requires another standard user credentials and a third username (which can be an administrator account), if the PoC is successful, it will end up mounting the target user hive in current user classes root," the researcher said.

"The PoC was stripped down as an attempt to prevent public exploitation, the original PoC did not require additional user credential and was not limited to usrclass.dat hive, any hive could be loaded using this vulnerability but you would need some brain cells to make the PoC do it."

As Will Dormann, principal vulnerability analyst at Tharros, explained after testing the LegacyHive exploit, successful exploitation would allow non-admin users to modify the classes registry hive and gain automatic code execution when the admin account logs into a compromised system.

"For example, as a novelty, we can associate .txt files to open with calc.exe," Dormann noted. "Clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don't even require user interaction.
One day after the PoC was released, cybersecurity expert Kevin Beaumont also confirmed that the exploit works and published LegacyHive exploitation detection queries for the Microsoft Defender for Endpoint (MDE) enterprise-grade endpoint security platform.

"Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims. Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible," a Microsoft spokesperson told BleepingComputer today when asked for a statement regarding the LegacyHive exploit.

"Importantly, we support coordinated vulnerability disclosure, an industry standard that protects customers and supports the research community by ensuring their findings are thoroughly investigated and addressed before being made public."

In recent months, Nightmare Eclipse has disclosed zero-day exploits for multiple Windows vulnerabilities in Microsoft Defender, BitLocker, and various Windows components, including RoguePlanet, BlueHammer, RedSun, YellowKey, GreenPlasma, MiniPlasma, and UnDefend.

Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey flaws last month as part of the June 2026 Patch Tuesday updates and the RoguePlanet vulnerability in the July security updates.

Microsoft responded to Nightmare Eclipse's disclosures with warnings of legal action against people engaging in "malicious activity causing real harm to our customers," prompting cybersecurity experts to believe the company was directly threatening the security researcher.
 
Assessment

The quoted report describes a potentially serious Windows local privilege-escalation and persistence issue, but the claims should not be treated as independently confirmed solely because a proof of concept exists. The absence of a CVE and Microsoft’s statement that it is still investigating mean that the vulnerability status, affected versions, exploit reliability, and mitigation guidance remain uncertain.

If the behavior is accurately described, the main concern is unauthorized modification of another user’s registry hive. Changes to file associations, startup-related registry locations, or other user-controlled settings could cause code to execute when that user logs on. Requiring additional credentials would reduce the attack surface, but it would not eliminate the risk—particularly on shared systems, compromised endpoints, or environments where attackers have already obtained another local account’s credentials.

Practical precautions

  • Keep Windows and security products fully updated through official Microsoft channels.
  • Ensure Microsoft Defender or another reputable endpoint security product is enabled and receiving current updates.
  • Monitor for unusual loading or mounting of user registry hives, unexpected changes to user-class registry data, and suspicious modifications to file associations or logon-related settings.
  • Use separate standard and administrative accounts, and avoid reusing local passwords between accounts.
  • Review Microsoft’s security advisories and your security vendor’s detection guidance before applying unofficial workarounds.
  • Do not run the proof of concept on a production system. Testing it can alter registry data and may create persistence or system instability.

Detection queries can help identify suspicious activity, but they should be validated in a controlled environment because legitimate software may also access user hives. A detection alert alone is not proof that this specific vulnerability was exploited.

Until Microsoft publishes a security advisory or mitigation, the safest conclusion is that this is an unverified but potentially important local attack-path report. Treat relevant detections seriously, preserve logs, isolate affected systems when suspicious activity is found, and rely on official vendor guidance rather than modifying registry permissions or disabling protections based only on the article.