BigTech CompaniesCybersecurityNewswireTechnologyWhat's Buzzing

Windows LegacyHive zero-day grants hackers admin access

▼ Summary

– A security researcher released a Windows zero-day exploit called LegacyHive that allows privilege escalation on up-to-date Windows systems by abusing a vulnerability in the Windows User Profile Service.
– The proof-of-concept exploit was published hours after Microsoft’s July 2026 Patch Tuesday updates and has been modified to require additional credentials to make it harder to weaponize.
– Successful exploitation enables non-admin users to modify the classes registry hive and gain automatic code execution when an admin account logs into the compromised system.
– Cybersecurity experts confirmed the exploit works, and Microsoft stated it is investigating the vulnerability while supporting coordinated vulnerability disclosure.
– The researcher has previously disclosed multiple Windows zero-day exploits, some of which Microsoft fixed in recent Patch Tuesday updates, prompting Microsoft to warn of legal action against malicious activity.

A security researcher known as “Nightmare Eclipse” has publicly released a Windows zero-day exploit called LegacyHive, capable of granting attackers elevated privileges on fully patched Windows systems. The proof-of-concept (PoC) exploit arrived just hours after Microsoft’s July 2026 Patch Tuesday updates, targeting a flaw in the Windows User Profile Service that currently lacks a CVE identifier for tracking.

Unlike earlier exploits from the same researcher, the LegacyHive PoC has been deliberately modified to require additional credentials, raising the bar for exploitation. “The PoC requires another standard user credentials and a third username (which can be an administrator account),” Nightmare Eclipse explained. “If the PoC is successful, it will end up mounting the target user hive in current user classes root.” The researcher added that the stripped-down version limits abuse: “The original PoC did not require additional user credential and was not limited to usrclass.dat hive. Any hive could be loaded using this vulnerability, but you would need some brain cells to make the PoC do it.”

Will Dormann, principal vulnerability analyst at Tharros, tested the exploit and confirmed its potential impact. Successful exploitation allows non-admin users to modify the classes registry hive, enabling automatic code execution when an administrator logs into a compromised system. “For example, as a novelty, we can associate .txt files to open with calc.exe,” Dormann noted. “Clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don’t even require user interaction.”

A day after the PoC release, cybersecurity expert Kevin Beaumont verified the exploit works and published detection queries for Microsoft Defender for Endpoint (MDE) to help organizations spot LegacyHive attacks.

Microsoft responded to inquiries about the exploit, stating: “Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims. Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible.” The company also emphasized its support for coordinated vulnerability disclosure, which ensures findings are thoroughly investigated before public release.

Nightmare Eclipse has a track record of disclosing zero-day exploits for Windows vulnerabilities, including flaws in Microsoft Defender, BitLocker, and other components, under names like RoguePlanet, BlueHammer, RedSun, YellowKey, GreenPlasma, MiniPlasma, and UnDefend. Microsoft fixed GreenPlasma, MiniPlasma, and YellowKey in June 2026 Patch Tuesday updates, while RoguePlanet was addressed in July.

The company’s warnings of legal action against those engaging in “malicious activity causing real harm to our customers” have led cybersecurity experts to interpret this as a direct threat to Nightmare Eclipse, escalating tensions between the researcher and the tech giant.

(Source: BleepingComputer)

Topics

windows zero-day 95% privilege escalation 92% proof-of-concept exploit 90% patch tuesday 88% windows user profile service 85% exploit mitigation 82% registry hive manipulation 80% code execution 78% security researcher 76% microsoft response 74%