01
HighLegacyHiveNo Patch
Nightmare Eclipse drops an unpatched Windows privilege escalation zero-day hours after Patch Tuesday, working on fully updated systems
LegacyHive exploits a flaw in the Windows User Profile Service to mount another user's registry hive, including an administrator's. A deliberately stripped public proof-of-concept is already confirmed working. No CVE, no patch, no fix timeline from Microsoft.
NameLegacyHive
CVENot yet assigned
AffectsAll supported
Windows desktop
and server, fully
patched July 2026
Windows desktop
and server, fully
patched July 2026
ExploitationNot confirmed
in the wild
in the wild
What happened
The researcher known as Nightmare Eclipse, also going by Chaotic Eclipse, published proof-of-concept code for LegacyHive on GitHub hours after Microsoft's July 15 Patch Tuesday release. The vulnerability is in the Windows User Profile Service, also called ProfSvc, which creates, loads, and manages user profiles during sign-in. Windows loads a portion of a new user's profile before that user signs in for the first time. LegacyHive abuses the path the User Profile Service uses when loading a registry hive during that process, allowing a standard user to redirect the operation toward another account's UsrClass.dat file. This lets an attacker mount and read another user's classes registry hive, including an administrator's. If the hive can be modified, the attacker can configure the registry to run malicious code when the administrator signs in or performs a routine action, causing that code to execute inside the administrator's session.
The public proof-of-concept was deliberately stripped before release. As published, it requires a standard user account, an additional set of credentials, and a third username belonging to an administrator target. Nightmare Eclipse stated that the original exploit does not require extra credentials and is not limited to the UsrClass.dat hive. Independent researchers including Kevin Beaumont confirmed the stripped proof-of-concept works on systems running the July 2026 patches. Microsoft told SecurityWeek it is aware of the reported vulnerability and actively investigating. No CVE has been assigned. No patch is available. The release follows a documented pattern: Nightmare Eclipse has released nine Windows zero-days since April 2026 as part of a public dispute with Microsoft over its bug bounty program and account suspension.
Why it matters
Three prior Nightmare Eclipse zero-days, BlueHammer, RedSun, and UnDefend, were exploited in live attacks before Microsoft patched them, and all three subsequently appeared in CISA's Known Exploited Vulnerabilities catalog. LegacyHive follows the same disclosure pattern. The stripped proof-of-concept reduces the immediate exploitation risk, but the researcher stated plainly that the original is more capable. A skilled attacker who can identify the type of registry hive loading flaw described has a clear path to building a working exploit from the published technical details.
Don't miss
Nightmare Eclipse's nine public disclosures since April have averaged roughly three weeks between publication and Microsoft patch. BlueHammer, RedSun, and UnDefend were all exploited during that window. This brief has tracked the pattern across Issues 82, 86, and now 88. The researcher has stated intent to continue, and the cadence has not slowed. The practical defensive posture while LegacyHive is unpatched is to restrict who holds local standard-user accounts on multi-user systems, enable behavioral monitoring on User Profile Service activity, and watch for unexpected access to user classes registry hives.
Potential actions
- Monitor User Profile Service activity for unexpected hive loads and suspicious registry access under user classes roots. Endpoint detection rules that flag ProfSvc loading hives outside expected sequences are the most direct interim control.
- Restrict the creation of local standard-user accounts on multi-user Windows systems. The published proof-of-concept requires a second set of credentials. Reducing the number of accounts that can be used as stepping stones limits the published attack's reach while the flaw is unpatched.
- Apply application allowlisting to reduce the impact of any privilege escalation. An attacker who reaches administrator-level execution on an allowlisted system has fewer options for persistence and payload execution than on an unrestricted endpoint.
The Sip
Nine zero-days in three months from one researcher with a documented grievance, three of them exploited before a patch arrived. LegacyHive is the ninth. Microsoft is investigating. There is no patch yet. The gap between these two facts is where defenders need to operate right now.