Tech News

LegacyHive Zero-Day Hits Windows Just After July Patch Tuesday

Microsoft's biggest Patch Tuesday in history didn't take long to be undermined. On July 14, 2026, the very same day, researcher Nightmare Eclipse revealed LegacyHive, a flaw that enables privilege escalation in Windows' user profile service. No CVE, no patch, and a PoC that works on fully patched machines. Here's what we know.

The pattern is becoming familiar. Microsoft rolls out its monthly fixes, and soon after, Nightmare Eclipse (aka Chaotic Eclipse or MSNightmare) discloses an unpatched zero-day security flaw. In June, it was RoguePlanet, published right after the updates. This time, the researcher disclosed a new flaw in less than an hour after the July 2026 Patch Tuesday went live.

LegacyHive's target: Windows profsvc

This time, the target is profsvc, the service that loads and unloads user profiles during Windows logons. The researcher describes it as a vulnerability that allows arbitrary loading of a registry hive, leading to privilege escalation.

The idea is straightforward: the targeted service runs with SYSTEM privileges, and a standard user can abuse its profile-loading mechanism to make it mount an attacker-controlled hive. As a result, another user's hive, including an administrator's, ends up mounted in the current user's classes root. This opens the door to further actions ranging from credential theft to persistence through the registry.

This is a local privilege escalation, so it is important to understand that LegacyHive is not an initial access vector. However, once an attacker has an initial foothold on a Windows PC, it can allow them to take control of the machine.

A deliberately limited PoC

What is new compared to Nightmare Eclipse's previous disclosures is that the released code is not complete. Apparently, he decided to tone things down a bit. That is at least what he states in the repository README, where he says he intentionally restricted the PoC in an attempt to prevent public exploitation.

This public version has additional constraints:

  • It requires the credentials of a second standard user, plus the name of a third account, which can be an administrator.
  • It is limited to the usrclass.dat hive.

Even so, he has a more aggressive version: the original PoC did not require any additional credentials and was not limited to this single Registry hive. According to the researcher, any hive can be loaded. More importantly, the code would work on all Windows and Windows Server installations, including systems with the July 2026 updates installed.

No CVE, no patch, and an ongoing standoff

No CVE identifier assigned, no Microsoft bulletin, no patch available: a familiar situation with the flaws disclosed by Nightmare Eclipse over the past several months. In fact, the dispute has been ongoing since April 2026, amid a breakdown in communication and misunderstanding between the researcher and Microsoft's MSRC.

He still has the upper hand: Microsoft continues to take several days or weeks to fix the disclosed flaws. In this case, that could push the Redmond company to release an out-of-band update to patch the issue. Unless an easy mitigation is possible: the ball is now in Microsoft's court.

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.