Windows ‘LegacyHive’ Zero-Day Exposes Critical Privilege Escalation Flaw

A newly disclosed zero-day vulnerability, dubbed ‘LegacyHive,’ has been identified in Microsoft’s Windows operating system, posing significant security risks to users. This flaw resides within the Windows User Profile Service (ProfSvc) and enables standard users to load registry hives of other users, including administrators, potentially leading to unauthorized access and privilege escalation.

The security researcher known as Nightmare Eclipse, also referred to as Chaotic Eclipse, publicly released a proof-of-concept (PoC) exploit for LegacyHive on July 14, 2026, coinciding with Microsoft’s Patch Tuesday. The PoC demonstrates how an attacker can mount another user’s registry hive under their own registry classes root, thereby exposing sensitive configuration data and facilitating further exploitation. Notably, the PoC requires credentials of another standard user and a third username, which can be an administrator account. If successful, it mounts the target user hive in the current user’s classes root.

Registry hives are critical components of the Windows operating system, storing configuration data for user profiles, applications, and system settings. Unauthorized access to these hives can lead to severe security breaches, including data theft and system compromise. The LegacyHive vulnerability affects all supported versions of Windows 10, Windows 11, and Windows Server (2016, 2019, and 2022), even those fully patched as of July 2026.

While the PoC has been intentionally limited to prevent immediate weaponization, security experts warn that attackers with moderate skills could adapt it for broader registry hive access and more impactful attacks. The exploit is particularly concerning for enterprise, government, and critical infrastructure sectors, as it allows bypassing privilege boundaries on fully patched Windows systems.

As of now, there is no evidence of widespread exploitation of LegacyHive in the wild. However, the vulnerability has been independently verified by multiple security researchers to function on fully patched systems. Microsoft has yet to acknowledge the LegacyHive exploit publicly, and no official patch or CVE identifier has been assigned as of July 2026.

Given the potential severity of this vulnerability, it is imperative for organizations and individual users to remain vigilant. Monitoring for unusual system behavior, restricting user privileges, and implementing robust security measures can help mitigate the risks associated with LegacyHive. Additionally, staying informed about updates from Microsoft regarding this issue is crucial, as a patch is likely forthcoming.

The disclosure of LegacyHive underscores the ongoing challenges in securing complex operating systems like Windows. It highlights the importance of proactive vulnerability management and the need for timely patching to protect against emerging threats. Users and administrators should prioritize security updates and consider implementing additional protective measures to safeguard their systems against potential exploitation.