• 2 min read
Windows zero-day LegacyHive gives attackers admin path
A new Windows zero-day exploit called LegacyHive can let non-admin users gain code execution through an admin account on fully patched systems.

Image: BleepingComputer
A security researcher using the handle Nightmare Eclipse has published a new Windows zero-day exploit, LegacyHive, that can help attackers escalate privileges on fully updated Windows systems.
The proof-of-concept landed just hours after Microsoft’s July 2026 Patch Tuesday updates. According to the researcher, the flaw affects the Windows User Profile Service and still does not have a CVE ID.
Unlike some earlier releases from Nightmare Eclipse, this PoC was intentionally limited to make abuse harder. The researcher said it now requires another standard user’s credentials and a third username, which can be an administrator account.
“The PoC requires another standard user credentials and a third username (which can be an administrator account), if the PoC is successful, it will end up mounting the target user hive in current user classes root.” “The PoC was stripped down as an attempt to prevent public exploitation, the original PoC did not require additional user credential and was not limited to usrclass.dat hive, any hive could be loaded using this vulnerability but you would need some brain cells to make the PoC do it.”
Will Dormann, principal vulnerability analyst at Tharros, tested the exploit and said successful use would let a non-admin user modify the classes registry hive and gain automatic code execution when the admin account logs into the compromised machine.

Recommended reading
TfL hackers get 5.5 years as Scattered Spider takes a hit
“For example, as a novelty, we can associate .txt files to open with calc.exe.” “Clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don’t even require user interaction.”
One day after the PoC appeared, cybersecurity expert Kevin Beaumont published LegacyHive exploitation detection queries for Microsoft Defender for Endpoint.
Nightmare Eclipse has recently disclosed several other Windows zero-days, including RoguePlanet, BlueHammer, RedSun, YellowKey, GreenPlasma, MiniPlasma, and UnDefend, affecting Microsoft Defender, BitLocker, and other Windows components. Microsoft patched GreenPlasma, MiniPlasma, and YellowKey in June 2026 Patch Tuesday, and fixed RoguePlanet in the July updates.
Microsoft previously responded to these disclosures by warning of legal action against people engaging in “malicious activity causing real harm to our customers,” a statement that led some cybersecurity experts to believe the company was directly threatening the researcher. A Microsoft spokesperson was not immediately available when contacted by BleepingComputer for comment.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via BleepingComputer


