New 'LegacyHive' Windows Zero-Day Exploit Emerges Post-Patch Tuesday
A security researcher known as **Nightmare Eclipse** has unveiled a new Windows zero-day exploit, dubbed **LegacyHive**, capable of escalating privileges on fully updated Windows systems. The exploit, released shortly after **Microsoft**'s July 2026 Patch Tuesday, targets a vulnerability in the Windows User Profile Service that currently lacks a **CVE ID**.

The **LegacyHive** exploit allows non-administrative users to gain elevated privileges, a critical concern for IT security professionals.
### The Mechanics of LegacyHive
Unlike previous exploits from **Nightmare Eclipse**, **LegacyHive**'s Proof-of-Concept (PoC) has been intentionally modified to require additional credentials, making its immediate weaponization more challenging. The researcher stated, "The PoC requires another standard user credentials and a third username (which can be an administrator account), if the PoC is successful, it will end up mounting the target user hive in current user classes root."
The original, more potent version of the PoC was reportedly "stripped down as an attempt to prevent public exploitation," and could load any user hive, not just `usrclass.dat`.
### Impact and Detection
**Will Dormann**, principal vulnerability analyst at **Tharros**, elaborated on the exploit's potential. Successful exploitation could allow a non-admin user to modify the classes registry hive, leading to automatic code execution when an administrator logs into the compromised system. **Dormann** demonstrated this by showing how `.txt` files could be associated with `calc.exe`, noting that "Clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don't even require user interaction."

Cybersecurity expert **Kevin Beaumont** confirmed the exploit's functionality and promptly released **LegacyHive** exploitation detection queries for **Microsoft Defender for Endpoint (MDE)**, providing immediate tools for enterprise security teams.
### Microsoft's Response and Broader Context
**Microsoft** has acknowledged the reported vulnerability. A spokesperson stated, "Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims. Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible." The company also reiterated its support for coordinated vulnerability disclosure.
**Nightmare Eclipse** has a history of disclosing Windows zero-day exploits, including **RoguePlanet**, **BlueHammer**, **RedSun**, **YellowKey**, **GreenPlasma**, **MiniPlasma**, and **UnDefend**, affecting components like **Microsoft Defender**, **BitLocker**, and various Windows services. Many of these vulnerabilities have since been patched by **Microsoft** in recent Patch Tuesday updates.
This latest disclosure follows a period of tension between **Microsoft** and **Nightmare Eclipse**, with **Microsoft** previously issuing statements against "malicious activity causing real harm to our customers," which some cybersecurity experts interpreted as a direct warning to the researcher.