The researcher known as Nightmare Eclipse released another Windows zero-day this week, dropping a local privilege escalation exploit called LegacyHive on GitHub hours after Microsoft’s July Patch Tuesday. The Proof-of-Concept (PoC) works on desktop and server installations carrying the July 2026 updates.
LegacyHive targets the Windows User Profile Service, allowing an attacker to load arbitrary registry hives, including those belonging to administrator accounts. As published, the PoC mounts the target user’s hive in the current user classes root and requires an additional standard user credential plus a third username to succeed.
That scaled-back scope marks a break from earlier drops in the series. Prior releases came with full working code, and three of them ended up in real intrusions before Microsoft could patch.
LegacyHive’s PoC was deliberately stripped, the researcher wrote, and the original neither required extra credentials nor was limited to the usrclass.dat hive. Rebuilding that scope from the current release would still be possible, they suggested, but not straightforward.
A Microsoft spokesperson told Expert Insights the company is aware of the reported vulnerability and is “actively investigating the validity and potential applicability of these claims.” The spokesperson also reiterated Microsoft’s support for coordinated vulnerability disclosure as “an industry standard that protects customers and supports the research community.”
Latest in a Running Series
LegacyHive is the latest in a set of Windows zero-day PoCs the researcher, also known as Chaotic Eclipse, has published since April. Security press has widely characterized this as a retaliatory campaign over Microsoft’s Security Response Center handling of bug reports and bounty payments.
For context, BlueHammer, RedSun, and UnDefend were all patched and later added to CISA’s Known Exploited Vulnerabilities catalog after evidence of real-world exploitation emerged, including Huntress documentation of their use in live intrusions.
YellowKey, GreenPlasma, and MiniPlasma got fixes at June’s Patch Tuesday. Microsoft mitigated RoguePlanet with an out-of-band Microsoft Defender Malware Protection Engine update on July 8.
Nightmare Eclipse had threatened a “bone-shattering” drop for July 14 before partially walking that back; LegacyHive is what appeared.
Application allowlisting and behavioral detection remain the primary controls while the flaw is unpatched.