LegacyHive PoC exposes a Windows Privilege Escalation flaw affecting fully patched Windows desktop and server systems.
Just hours after Microsoft’s July 2026 Patch Tuesday, security researcher Nightmare Eclipse, also known as Chaotic Eclipse, published a new Windows zero-day proof-of-concept called LegacyHive. This time, the target is the Windows User Profile Service (ProfSvc), and unlike the hundreds of vulnerabilities Microsoft fixed this month, this one currently has no CVE, no advisory, and no security update.
LegacyHive is a local privilege escalation vulnerability. An attacker who already has code execution as a standard user can abuse the User Profile Service to load another user’s registry hive, potentially that of a local administrator, under their own profile.
That opens the door to accessing registry data that should remain protected and may help elevate privileges under the right conditions. While it isn’t a remote code execution bug, privilege escalation remains one of the most valuable building blocks in modern attack chains.
“The PoC requires another standard user credentials and a third username (which can be an administrator account), if the PoC is successful, it will end up mounting the target user hive in current user classes root.” reads the researcher’s public repository. “The PoC was stripped down as an attempt to prevent public exploitation, the original PoC did not require additional user credential and was not limited to usrclass.dat hive, any hive could be loaded using this vulnerability but you would need some brain cells to make the PoC do it.”

According to the proof-of-concept, exploitation requires several prerequisites. The attacker already needs access to the target system, valid user credentials, and another local user profile whose registry hive can be mounted. That makes LegacyHive unsuitable for mass exploitation over the Internet, but potentially attractive for post-compromise operations where attackers are already inside a network.
The release also continues an increasingly public dispute between Nightmare Eclipse and Microsoft’s Security Response Center (MSRC).
Since April, the researcher has repeatedly published Windows zero-days without coordinated disclosure, arguing that previous reports were mishandled and that researchers were not properly credited. Several of those earlier disclosures were later patched, while some were reportedly exploited before fixes became available.
On June 10, security researcher Chaotic Eclipse published a new working exploit dubbed GreatXML that bypasses BitLocker and opens a command shell with full SYSTEM privileges while Windows is in Recovery Mode. It came one day after RoguePlanet, an exploit targeting Microsoft Defender that leads to local privilege escalation.
Chaotic Eclipse also disclosed BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091) zero-days. The disclosures are believed to stem from a dispute with Microsoft over the vulnerability reporting process.
In early June, Chaotic Eclipse released a PoC for the RoguePlanet Microsoft Defender zero-day, which can grant SYSTEM privileges on fully patched Windows systems.
In May, the researcher disclosed two other Windows zero-day vulnerabilities named YellowKey and GreenPlasma. The flaws affect BitLocker and the Windows Collaborative Translation Framework (CTFMON). YellowKey could allow attackers to bypass BitLocker protections, while GreenPlasma enables privilege escalation. The researcher previously disclosed three Microsoft Defender vulnerabilities.
The researcher criticized Microsoft for revoking access to their MSRC account, rejecting reports, and failing to provide compensation.
At the end of May, Microsoft’s Security Response Center called the zero-day dumps irresponsible.
“In recent weeks several zero-day vulnerabilities have been publicly disclosed.” reads the report published by Microsoft. “The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.”
The company said its security teams have been working around the clock since the disclosures to understand the impact, build patches, and protect customers from attackers who picked up the published exploit code and ran with it.
Microsoft’s post is essentially a public defense of Coordinated Vulnerability Disclosure, the standard practice where a researcher notifies a vendor privately, gives them time to fix the issue, and then goes public. Microsoft says it works with hundreds of researchers this way every year, compensating them through bug bounty programs and crediting them publicly.
“This partnership allows us to make updates to impacted services before proof-of-concept code can make it into the hands of bad actors.” continues the report. “The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed.”
The implication is clear: when someone skips that step, real people get attacked with real tools built from the published research.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Chaotic Eclipse)
