TL;DR
A researcher known as Nightmare-Eclipse has published details and proof-of-concept code for LegacyHive, a Windows User Profile Service privilege escalation flaw. The LegacyHive exploit abuses arbitrary registry hive loading to mount another user’s hive. Its author says the code works on all supported desktop and server installs carrying the July 2026 patch. No CVE has been assigned, and no in-the-wild exploitation is confirmed yet.
Why It Matters
This is not an isolated leak. Instead, it lands as the promised July 14 drop in the long feud between Nightmare-Eclipse and Microsoft. The researcher previously released six Windows zero-days, and attackers weaponized three of them before patches shipped. A public exploit for an unpatched flaw therefore hands a ready tool to any attacker with a foothold. Privilege escalation flaws like this one turn a low-privilege account into full system control.
How the Attack Works
The LegacyHive exploit targets how the User Profile Service loads registry hives. In the published version, it mounts a target user’s hive into the current user’s classes root. The technique echoes older User Profile Service hive-load bugs, but it defeats current mitigations. Notably, the author says the released code was stripped down on purpose. The original required no extra credentials and could load any hive, not just usrclass.dat. This report describes the mechanism only and includes no exploit steps.
Affected Versions
According to the author, the flaw affects all currently supported Windows desktop and server versions, even after the July 2026 patch. Microsoft has not published an advisory for this specific issue at the time of writing.
Exploitation Status
A public proof-of-concept exists on the researcher’s LegacyHive repository and mirrors. However, no confirmed in-the-wild abuse of LegacyHive has been reported so far. That gap could close fast, given how quickly the earlier drops were exploited.
The Nightmare-Eclipse Backdrop
LegacyHive extends a public dispute that began in April 2026. Nightmare-Eclipse dumped six zero-days, including BlueHammer, RedSun, and UnDefend, without coordinating with Microsoft. CISA later added several to its Known Exploited Vulnerabilities Catalog. Microsoft condemned the uncoordinated releases, disabled the researcher’s accounts, and signaled possible legal action. This latest release keeps that standoff alive.
Patch and Mitigation Steps
No patch exists yet, so defenders must rely on interim controls. Limit who can create local standard-user accounts, since the released PoC needs a second set of credentials. In addition, monitor the User Profile Service for unexpected hive loads and watch for suspicious registry activity under user classes roots. Finally, apply Microsoft’s fix as soon as it appears.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.