New LegacyHive Windows Zero-Day Could Give Attackers Admin Access


Windows Netlogon Bug exploited
Image credit: Microsoft

The LegacyHive Windows zero-day could allow a standard user to modify sensitive registry data belonging to another account, including a Windows administrator.

Security researcher NightmareEclypse, also known as Chaotic Eclipse, published proof-of-concept code, and independent researchers confirmed that the exploit works on fully updated Windows systems.

LegacyHive Targets the Windows User Profile Service

LegacyHive exploits a weakness in the Windows User Profile Service, also known as ProfSvc.

Windows uses this service to create, load, and manage user profiles. Each profile includes registry hives that control application settings, file associations, Explorer behavior, and other user-specific configurations.

The vulnerability allows a non-administrator to mount and modify another user’s classes registry hive.

An attack could configure the registry to launch malicious code when an administrator signs in or performs a common action. That would allow the attacker’s code to run inside the administrator’s session, effectively providing elevated access.

Attackers could also combine LegacyHive with another vulnerability to create an attack chain that provides more direct control over an administrator account.

Published Exploit Has Several Requirements

The publicly available proof of concept does not provide attackers with an immediate path to administrator privileges.

In its current form, the exploit requires credentials for another standard Windows account. The attacker must also know the username of a third account, which can belong to either a standard user or an administrator.

NightmareEclypse says the public code was deliberately stripped down to make it less useful for malicious attacks. According to the researcher, the original exploit did not require credentials for an additional account and could load registry hives other than UsrClass.dat.

LegacyHive reportedly works on all supported Windows desktop and server releases, including systems that have installed Microsoft’s latest July 2026 security updates.

How the LegacyHive Exploit Works

Windows can load portions of a new user’s profile before that user signs in for the first time.

LegacyHive abuses this behavior and manipulates the path that the User Profile Service uses while loading a registry hive. This allows the attacker to redirect the operation toward another account’s UsrClass.dat file.

The proof of concept restores the original files and removes temporary artifacts after it finishes. This cleanup could make exploitation harder to detect through a basic examination of the affected computer.

Microsoft Is Investigating the Vulnerability

Microsoft has confirmed that it knows about the LegacyHive report and is investigating whether the vulnerability affects supported Windows products.

The company said it plans to update affected products as quickly as possible after completing its investigation.

LegacyHive does not currently have a publicly announced CVE identifier, and Microsoft has not released an official patch or workaround. There is currently no public evidence that cybercriminals are exploiting LegacyHive in real-world attacks.

LegacyHive Appeared After a Record Patch Tuesday

The disclosure came shortly after Microsoft released its largest Patch Tuesday update to date, fixing at least 570 security flaws, including three zero-days.

Microsoft also recently fixed RoguePlanet, another privilege-escalation vulnerability disclosed by NightmareEclypse.

LegacyHive remains unpatched, so administrators should use the available detection guidance while waiting for Microsoft to complete its investigation and release an official security update.

Via Ars Technica

More about the topics: microsoft, security, Windows

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages