[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f39x7ZzJCFe9Viqk3ESH599byia8ZOYi5PQeJjDcFi7g":3},{"article":4,"iocs":56},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"ecf554f1-8495-4799-bf34-42648c734b65","Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday","researcher-drops-new-windows-zero-day-poc-hours-after-microsoft-patch-tuesday-3296da","Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) has released a new proof-of-concept (PoC) exploit called LegacyHive. It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability. The Windows User Profile Service, also referred to as ProfSvc, is a core system component that manages user accounts and environments. \"The PoC requires","Security researcher Chaotic Eclipse has released a proof-of-concept exploit named LegacyHive for a Windows User Profile Service vulnerability. This elevation of privilege exploit is functional on all supported Windows versions, even after the July 2026 Patch Tuesday update. The researcher has a history of releasing exploits before Microsoft can patch them, leading to a dispute between the two parties.","Researcher releases Windows zero-day PoC exploiting User Profile Service.","Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday Ravie LakshmananJul 15, 2026Vulnerability \u002F Enterprise Security Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) has released a new proof-of-concept (PoC) exploit called LegacyHive. It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability. The Windows User Profile Service, also referred to as ProfSvc, is a core system component that manages user accounts and environments. \"The PoC requires another standard user credential and a third username (which can be an administrator account),\" Chaotic Eclipse said. \"If the PoC is successful, it will end up mounting the target user hive in the current user classes root.\" The researcher said the exploit was stripped down to prevent public exploitation, adding the original exploit did not require additional user credentials and was not limited to the \"usrclass.dat\" hive. \"Any hive could be loaded using this vulnerability, but you would need some brain cells to make the PoC do it,\" the researcher noted. What makes it notable is that it's functional on all supported desktop and server versions of Windows, including those running the latest July 2026 Patch Tuesday update. Chaotic Eclipse and Microsoft have been locked in a heated dispute since at least April 2026, with the researcher releasing details of multiple exploits before the Windows maker had a chance to patch them, citing a breakdown in communication. Three of the vulnerabilities in Microsoft Defender came under active exploitation shortly after public disclosure. Earlier this month, the tech giant released security updates for another Defender vulnerability known as RoguePlanet that was disclosed by the researcher. However, it emerged that the newly introduced \"defense-in-depth updates\" to address the flaw can cause Microsoft Defender to leak 8 bytes of data when attempting to open a file in certain scenarios. Microsoft told The Hacker News that it's investigating the new report. We have contacted the company for comment regarding LegacyHive, and we will update the story if we hear back. SharePoint Server Flaws in Spotlight The development comes as Microsoft shipped patches for a record 622 flaws, including two privilege escalation shortcomings in SharePoint Server (CVE-2026-56164, CVSS score: 5.3) and Active Directory Federation Services (CVE-2026-56155, CVSS score: 7.8) that have been flagged as actively exploited. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, which mandates that Federal Civilian Executive Branch (FCEB) agencies apply the fixes by July 17 and July 28, 2026, respectively. \"After years of relative stability, the Patch Tuesday process has experienced significant turbulence so far in 2026,\" Adam Barnett, lead software engineer at Rapid7, said in a statement. \"As well as the AI-fuelled exponential growth of vulnerability reporting and discovery, Microsoft is grappling with the emergence of a series of vulnerabilities disclosed in such a way as to bring maximum discomfort for Redmond.\" In a separate advisory, the agency said it's aware of active exploitation of multiple SharePoint Server flaws, including CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, that enable cyber threat actors to gain unauthorized access to susceptible instances. \"These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware,\" CISA said. \"The flaw stems from missing authentication for a critical function, enabling an attacker to reach functionality that should require authorization,\" Alex Vovk, CEO and co-founder of Action1, said about CVE-2026-56164. \"An attacker can send specially crafted network requests to access functionality that should require authentication, resulting in privilege escalation. The vulnerability primarily impacts system integrity by allowing unauthorized actions without requiring prior authentication or user interaction. Internet-facing SharePoint servers are particularly exposed because the attack can be performed remotely without valid credentials.\" It's worth noting that the July 2026 update also addresses another critical SharePoint Server security feature bypass vulnerability (CVE-2026-55040, CVSS score: 9.1) that a remote unauthenticated attacker could exploit to bypass authentication on a vulnerable SharePoint server and perform operations as a SharePoint site user or administrator. \"The vulnerability is due to several issues in the JWT token validation pipeline,\" Rapid7 said. \"An attacker who successfully exploits CVE-2026-55040 can perform operations against the target SharePoint site as the user they identify as. Furthermore, this authentication bypass can be chained to additional vulnerabilities within the authenticated attack surface of the target site.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Active Exploitation, Authentication bypass, enterprise security, exploit, Microsoft Security, patch Tuesday, privilege escalation, SharePoint Security, Vulnerability, Windows Security ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP\u002F3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New \"Bad Epoll\" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fresearcher-drops-new-windows-zero-day.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjvtiVnhkF-YVsPEXyedqj9REY5pN1-KiSsf-rCeXK5yClGbAcsL1Tg7-9UDDA8VQg5RbM0uWkV23rDxqiFFIJ2RkpkY6cn90-5LPbZOC2oktF7_3FjD5La_FGkYdVBEKeXMJGiGRZfPvxmMBXd99tncWdEZ4HxX62hbxmWEnA02eu-LSVwZtmecjuykqDb\u002Fs1600\u002Fwindows-0day.jpg","2026-07-15T11:07:07+00:00","2026-07-15T14:00:19.090069+00:00",9,[18,21,23,25,27,30],{"name":19,"type":20},"Windows User Profile Service","product",{"name":22,"type":20},"Microsoft Defender",{"name":24,"type":20},"SharePoint Server",{"name":26,"type":20},"Active Directory Federation Services",{"name":28,"type":29},"Microsoft","vendor",{"name":31,"type":32},"Chaotic Eclipse","threat_actor","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":33,"icon":35,"name":36,"slug":37},null,"Vulnerabilities","vulnerabilities",[39,44,49,51],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":50},{"id":33,"icon":35,"name":36,"slug":37},{"category":52},{"id":53,"icon":35,"name":54,"slug":55},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[57,61,64,67],{"type":58,"value":59,"context":60},"cve","CVE-2026-56164","SharePoint Server privilege escalation vulnerability",{"type":58,"value":62,"context":63},"CVE-2026-56155","Active Directory Federation Services privilege escalation vulnerability",{"type":58,"value":65,"context":66},"CVE-2026-32201","SharePoint Server vulnerability",{"type":58,"value":68,"context":66},"CVE-2026-45659"]