In a notable development within the cybersecurity landscape, the security researcher known as Nightmare Eclipse has once again made headlines by unveiling a new unpatched vulnerability in Windows. This release coincided with Microsoft’s July 2026 Patch Tuesday, further intensifying scrutiny on the tech giant’s security measures.
LegacyHive: A New Threat Emerges
The newly identified exploit, dubbed LegacyHive, is characterized as a local privilege escalation vulnerability residing in the Windows User Profile Service. This flaw enables an attacker to access and load the user hives of other accounts, including those belonging to administrators, thereby posing a significant risk to system integrity.
Nightmare Eclipse, who is also referred to as Chaotic Eclipse, has provided proof-of-concept (PoC) exploit code that is functional on systems equipped with Microsoft’s latest July 2026 patches. The researcher elaborated on the mechanics of the PoC, stating, “The PoC requires another standard user’s credentials and a third username, which can be an administrator account. If successful, it will mount the target user hive in the current user class root.”
In a strategic move, LegacyHive was released with a simplified PoC, designed to mitigate the risk of the vulnerability being exploited in the wild. The researcher noted that the initial version of the exploit did not necessitate user credentials, allowing for any hive to be loaded, not just the usrclass.dat hive. However, accessing other hives now demands additional effort.
To date, Nightmare Eclipse has disclosed over half a dozen zero-day vulnerabilities affecting Microsoft products, including notable exploits such as BlueHammer, RedSun, and UnDefend. These vulnerabilities have been linked to various cyberattacks, alongside others like GreenPlasma, RoguePlanet, YellowKey, and GreatXML.
As of now, Microsoft has not publicly acknowledged the LegacyHive exploit. Inquiries have been directed to the company for a statement, and updates will follow pending their response.
- Related: Unpatched Cursor Vulnerability Exposes Users to Code Execution
- Related: CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities
- Related: Windows Bind Link Attacks Can Hide Malware From EDR Tools
- Related: Progress Confirms Zero-Day Vulnerability Behind ShareFile Disruption