New LegacyHive PoC Exploits Windows User Profile Service, SharePoint Under Active Attack
A new proof-of-concept exploit, **LegacyHive**, has been released, targeting a critical elevation of privileges vulnerability in the Windows User Profile Service that impacts all supported Windows versions. This disclosure comes amidst ongoing tensions between security researcher **Chaotic Eclipse** and **Microsoft**, and as CISA warns of active exploitation of multiple **SharePoint Server** flaws.

Security researcher **Chaotic Eclipse** (also known as **Nightmare-Eclipse**) has publicly released **LegacyHive**, a new proof-of-concept (PoC) exploit. This PoC targets a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability, affecting the core system component responsible for managing user accounts and environments (**ProfSvc**).
"The PoC requires another standard user credential and a third username (which can be an administrator account)," **Chaotic Eclipse** stated. "If the PoC is successful, it will end up mounting the target user hive in the current user classes root."
The researcher noted that the publicly released exploit was deliberately stripped down to prevent widespread abuse. The original exploit did not necessitate additional user credentials and was not restricted to the `usrclass.dat` hive. "Any hive could be loaded using this vulnerability, but you would need some brain cells to make the PoC do it," the researcher added.
Notably, **LegacyHive** is functional across all supported desktop and server versions of Windows, including systems running the latest July 2026 Patch Tuesday updates.
### Ongoing Tensions with Microsoft
This disclosure is the latest in a series of public disputes between **Chaotic Eclipse** and **Microsoft**, which have been ongoing since at least April 2026. The researcher has repeatedly released details of exploits before **Microsoft** could issue patches, citing communication breakdowns. This has led to critical vulnerabilities in **Microsoft Defender** being actively exploited shortly after public disclosure.
Earlier this month, **Microsoft** released security updates for another **Defender** vulnerability, **RoguePlanet**, also disclosed by **Chaotic Eclipse**. However, it was later discovered that the new "defense-in-depth updates" introduced to address **RoguePlanet** could inadvertently cause **Microsoft Defender** to leak 8 bytes of data when attempting to open files under specific conditions. **Microsoft** has confirmed it is investigating this new report and has been contacted for comments regarding **LegacyHive**.
### SharePoint Server Flaws Under Scrutiny
Coinciding with these developments, **Microsoft** released patches for a record 622 flaws in its July 2026 Patch Tuesday. Among these are two privilege escalation vulnerabilities in **SharePoint Server** (**CVE-2026-56164**, CVSS score: 5.3) and **Active Directory Federation Services** (**CVE-2026-56155**, CVSS score: 7.8) that have been flagged as actively exploited.
The **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** has added both **CVE-2026-56164** and **CVE-2026-56155** to its Known Exploited Vulnerabilities (**KEV**) catalog. This mandates that Federal Civilian Executive Branch (**FCEB**) agencies apply the necessary fixes by July 17 and July 28, 2026, respectively.
Adam Barnett, lead software engineer at **Rapid7**, commented on the current landscape: "After years of relative stability, the Patch Tuesday process has experienced significant turbulence so far in 2026. As well as the AI-fuelled exponential growth of vulnerability reporting and discovery, **Microsoft** is grappling with the emergence of a series of vulnerabilities disclosed in such a way as to bring maximum discomfort for Redmond."
In a separate advisory, **CISA** warned of ongoing active exploitation of multiple **SharePoint Server** flaws, including **CVE-2026-32201**, **CVE-2026-45659**, and **CVE-2026-56164**. These vulnerabilities enable threat actors to gain unauthorized access to vulnerable instances.
"These vulnerabilities affect all supported on-premises **SharePoint Server** versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (**RCE**) and post-exploitation activities, such as stealing Internet Information Services (**IIS**) machine keys and performing deserialization techniques, to gain persistence and deploy malware," **CISA** elaborated.
Alex Vovk, CEO and co-founder of **Action1**, described **CVE-2026-56164** as stemming from "missing authentication for a critical function, enabling an attacker to reach functionality that should require authorization." He added, "An attacker can send specially crafted network requests to access functionality that should require authentication, resulting in privilege escalation. The vulnerability primarily impacts system integrity by allowing unauthorized actions without requiring prior authentication or user interaction. Internet-facing **SharePoint** servers are particularly exposed because the attack can be performed remotely without valid credentials."
Additionally, the July 2026 update addresses another critical **SharePoint Server** security feature bypass vulnerability (**CVE-2026-55040**, CVSS score: 9.1). This flaw could allow a remote unauthenticated attacker to bypass authentication and perform operations as a **SharePoint** site user or administrator.
"The vulnerability is due to several issues in the JWT token validation pipeline," **Rapid7** explained. "An attacker who successfully exploits **CVE-2026-55040** can perform operations against the target **SharePoint** site as the user they identify as. Furthermore, this authentication bypass can be chained to additional vulnerabilities within the authenticated attack surface of the target site."