LegacyHive Zero-Day Exploit Released for Windows Privilege Escalation

Security researcher Nightmare Eclipse released a Windows zero-day exploit called LegacyHive hours after Microsoft's July 2026 Patch Tuesday, allowing privilege escalation through the User Profile Service. The proof-of-concept was stripped to require additional user credentials, limiting its immediate weaponization compared to previous disclosures. Successful exploitation enables non-admin users to modify the classes registry hive, allowing automatic code execution when an administrator logs into the compromised system.

Kevin Beaumont confirmed the exploit works and published detection queries for Microsoft Defender for Endpoint. Microsoft stated it is investigating the vulnerability and supports coordinated disclosure, while having previously warned of legal action against what it describes as malicious customer harm. This continues Nightmare Eclipse's pattern of releasing zero-day exploits, including RoguePlanet, BlueHammer, RedSun, YellowKey, GreenPlasma, MiniPlasma, and UnDefend. Microsoft patched GreenPlasma, MiniPlasma, and YellowKey in June, with RoguePlanet fixed in July. The original exploit could load any hive without additional credentials, but the public version was restricted to prevent widespread exploitation. Cybersecurity expert Will Dormann demonstrated the exploit's potential by associating .txt files to open with calculator as a proof of concept. The ongoing dispute between the researcher and Microsoft over bug bounty practices has led to multiple public disclosures.

Read more...

Read More

Got Something To Say?

Your email address will not be published.