A security researcher using the “Nightmare Eclipse” handle has released a Windows zero-day exploit dubbed LegacyHive that allows attackers to escalate privileges on up-to-date Windows systems.
Nightmare Eclipse published a proof-of-concept (PoC) exploit hours after Microsoft released its July 2026 Patch Tuesday updates, saying that it abuses a security vulnerability in the Windows User Profile Service, which has yet to receive a CVE ID for easier tracking.
However, unlike previous exploits released by NightmwareEclipse, the LegacyHive PoC has been modified to require additional credentials, making it harder for attackers to weaponize the vulnerability.
“The PoC requires another standard user credentials and a third username (which can be an administrator account), if the PoC is successful, it will end up mounting the target user hive in current user classes root,” the researcher said.
“The PoC was stripped down as an attempt to prevent public exploitation, the original PoC did not require additional user credential and was not limited to usrclass.dat hive, any hive could be loaded using this vulnerability but you would need some brain cells to make the PoC do it.”
As Will Dormann, principal vulnerability analyst at Tharros, explained after testing the LegacyHive exploit, successful exploitation would allow non-admin users to modify the classes registry hive and gain automatic code execution when the admin account logs into a compromised system.
“For example, as a novelty, we can associate .txt files to open with calc.exe,” Dormann noted. “Clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don’t even require user interaction.
One day after the PoC was released, cybersecurity expert Kevin Beaumont also published LegacyHive exploitation detection queries for the Microsoft Defender for Endpoint (MDE) enterprise-grade endpoint security platform.
In recent months, Nightmare Eclipse has disclosed zero-day exploits for multiple Windows vulnerabilities in Microsoft Defender, BitLocker, and various Windows components, including RoguePlanet, BlueHammer, RedSun, YellowKey, GreenPlasma, MiniPlasma, and UnDefend.
Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey flaws last month as part of the June 2026 Patch Tuesday updates and the RoguePlanet vulnerability in the July security updates.
Microsoft responded to Nightmare Eclipse’s disclosures with warnings of legal action against people engaging in “malicious activity causing real harm to our customers,” prompting cybersecurity experts to believe the company was directly threatening the security researcher.
A Microsoft spokesperson was not immediately available when contacted by BleepingComputer for comment.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Recently leaked Windows zero-days now exploited in attacks
Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit
Windows BitLocker zero-day gives access to protected drives, PoC released
Exploit available for new DirtyDecrypt Linux root escalation flaw
Microsoft patches RoguePlanet Defender zero-day vulnerability
Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days
Microsoft: Some Dell PCs shut down after recent Windows updates
Zoom warns of critical account takeover vulnerability
AI broke vulnerability management. Get the guide CISOs use to shift budget to BAS.
How Mature Is Your AI Security Program? Take the Free AI Maturity Assessment.
AI is a data-breach time bomb: Read the new report
See how Pixellot discovered and secured hundreds of unmanaged AI agent identities in weeks, not months. Read the case study.
Pentest your web apps on-demand. Find what humans miss. Scope and launch a pentest in minutes.
Terms of Use – Privacy Policy – Ethics Statement – Affiliate Disclosure
Read our posting guidelinese to learn what content is prohibited.



