Security researcher Chaotic Eclipse has released a proof-of-concept exploit called LegacyHive, which targets a vulnerability in the Windows User Profile Service. The exploit requires standard user credentials and a third username, potentially an administrator account. It can mount the target user hive in the current user classes root and is designed to reduce the risk of public exploitation. The exploit works across all supported desktop and server versions of Windows, including those updated with the July 2026 Patch Tuesday release. Microsoft is investigating the findings related to LegacyHive.
Microsoft has patched 622 vulnerabilities, including two privilege escalation flaws in SharePoint Server (CVE-2026-56164, CVSS score: 5.3) and Active Directory Federation Services (CVE-2026-56155, CVSS score: 7.8), which are actively exploited threats. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included these vulnerabilities in its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to implement fixes by specified deadlines.
CISA has also noted active exploitation of several SharePoint Server vulnerabilities, including CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, which allow unauthorized access to vulnerable instances. CVE-2026-56164 enables attackers to send crafted network requests to access functions that should require authorization, leading to privilege escalation without prior authentication. Additionally, CVE-2026-55040 (CVSS score: 9.1) allows remote unauthenticated attackers to bypass authentication on a vulnerable SharePoint server, enabling unauthorized operations.