New Windows LegacyHive zero-day gives hackers admin privileges
Nightmare Eclipse releases LegacyHive Windows zero-day enabling privilege escalation to admin.
Summary
Security researcher Nightmare Eclipse has released a proof-of-concept exploit for LegacyHive, a Windows zero-day vulnerability in the User Profile Service that allows privilege escalation on fully patched systems. The exploit abuses the Windows registry hive loading mechanism to grant attackers admin-level code execution when an administrator logs in. Microsoft has not yet assigned a CVE ID to the vulnerability and has threatened legal action against the researcher.
Full text
New Windows LegacyHive zero-day gives hackers admin privileges By Sergiu Gatlan July 17, 2026 07:05 AM 0 A security researcher using the "Nightmare Eclipse" handle has released a Windows zero-day exploit dubbed LegacyHive that allows attackers to escalate privileges on up-to-date Windows systems. Nightmare Eclipse published a proof-of-concept (PoC) exploit hours after Microsoft released its July 2026 Patch Tuesday updates, saying that it abuses a security vulnerability in the Windows User Profile Service, which has yet to receive a CVE ID for easier tracking. However, unlike previous exploits released by NightmwareEclipse, the LegacyHive PoC has been modified to require additional credentials, making it harder for attackers to weaponize the vulnerability. "The PoC requires another standard user credentials and a third username (which can be an administrator account), if the PoC is successful, it will end up mounting the target user hive in current user classes root," the researcher said. "The PoC was stripped down as an attempt to prevent public exploitation, the original PoC did not require additional user credential and was not limited to usrclass.dat hive, any hive could be loaded using this vulnerability but you would need some brain cells to make the PoC do it." As Will Dormann, principal vulnerability analyst at Tharros, explained after testing the LegacyHive exploit, successful exploitation would allow non-admin users to modify the classes registry hive and gain automatic code execution when the admin account logs into a compromised system. LegacyHive demo (Will Dormann)"For example, as a novelty, we can associate .txt files to open with calc.exe," Dormann noted. "Clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don't even require user interaction. One day after the PoC was released, cybersecurity expert Kevin Beaumont also published LegacyHive exploitation detection queries for the Microsoft Defender for Endpoint (MDE) enterprise-grade endpoint security platform. In recent months, Nightmare Eclipse has disclosed zero-day exploits for multiple Windows vulnerabilities in Microsoft Defender, BitLocker, and various Windows components, including RoguePlanet, BlueHammer, RedSun, YellowKey, GreenPlasma, MiniPlasma, and UnDefend. Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey flaws last month as part of the June 2026 Patch Tuesday updates and the RoguePlanet vulnerability in the July security updates. Microsoft responded to Nightmare Eclipse's disclosures with warnings of legal action against people engaging in "malicious activity causing real harm to our customers," prompting cybersecurity experts to believe the company was directly threatening the security researcher. A Microsoft spokesperson was not immediately available when contacted by BleepingComputer for comment. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Recently leaked Windows zero-days now exploited in attacksDisgruntled researcher leaks “BlueHammer” Windows zero-day exploitWindows BitLocker zero-day gives access to protected drives, PoC releasedExploit available for new DirtyDecrypt Linux root escalation flawMicrosoft patches RoguePlanet Defender zero-day vulnerability
Indicators of Compromise
- malware — LegacyHive
- malware — RoguePlanet
- malware — BlueHammer
- malware — GreenPlasma
- malware — YellowKey
- malware — MiniPlasma