Nightmare Eclipse Releases LegacyHive Windows Zero-Day With Stripped PoC After Patch Tuesday

The Windows User Profile Service local privilege escalation flaw works on systems running the July 2026 updates, but the researcher scaled the exploit back to slow immediate weaponization.

Published on Jul 16, 2026
Nightmare Eclipse Releases LegacyHive Windows Zero-Day With Stripped PoC After Patch Tuesday

The researcher known as Nightmare Eclipse released another Windows zero-day this week, dropping a local privilege escalation exploit called LegacyHive on GitHub hours after Microsoft’s July Patch Tuesday. The Proof-of-Concept (PoC) works on desktop and server installations carrying the July 2026 updates.

LegacyHive targets the Windows User Profile Service, allowing an attacker to load arbitrary registry hives, including those belonging to administrator accounts. As published, the PoC mounts the target user’s hive in the current user classes root and requires an additional standard user credential plus a third username to succeed.

That scaled-back scope marks a break from earlier drops in the series. Prior releases came with full working code, and three of them ended up in real intrusions before Microsoft could patch.

LegacyHive’s PoC was deliberately stripped, the researcher wrote, and the original neither required extra credentials nor was limited to the usrclass.dat hive. Rebuilding that scope from the current release would still be possible, they suggested, but not straightforward.

A Microsoft spokesperson told Expert Insights the company is aware of the reported vulnerability and is “actively investigating the validity and potential applicability of these claims.” The spokesperson also reiterated Microsoft’s support for coordinated vulnerability disclosure as “an industry standard that protects customers and supports the research community.”

Latest in a Running Series

LegacyHive is the latest in a set of Windows zero-day PoCs the researcher, also known as Chaotic Eclipse, has published since April. Security press has widely characterized this as a retaliatory campaign over Microsoft’s Security Response Center handling of bug reports and bounty payments. 

For context, BlueHammer, RedSun, and UnDefend were all patched and later added to CISA’s Known Exploited Vulnerabilities catalog after evidence of real-world exploitation emerged, including Huntress documentation of their use in live intrusions.

YellowKey, GreenPlasma, and MiniPlasma got fixes at June’s Patch Tuesday. Microsoft mitigated RoguePlanet with an out-of-band Microsoft Defender Malware Protection Engine update on July 8. 

Nightmare Eclipse had threatened a “bone-shattering” drop for July 14 before partially walking that back; LegacyHive is what appeared.

Application allowlisting and behavioral detection remain the primary controls while the flaw is unpatched.

This field is for validation purposes and should be left unchanged.

FREE NEWSLETTER

Cyber Weekly

Get curated cybersecurity news, threats and insights delivered free every Thursday.

Written By Written By
Alessandro Mascellino
Alessandro Mascellino Cybersecurity Reporter

Alessandro Mascellino is a British-Italian freelance journalist specializing in technology and gaming. He has contributed to several publications, including Wired, The Independent, and Android Police. By day, he works as a journalist. By night, he co-manages a game studio that creates narrative games.