Security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, has unveiled a new proof-of-concept (PoC) exploit dubbed LegacyHive. This exploit highlights a vulnerability in the Windows User Profile Service, which is crucial for managing user accounts and environments within the operating system.
According to Chaotic Eclipse, the PoC requires the credentials of a standard user and a third username, which can be an administrator account. “If the PoC is successful, it will end up mounting the target user hive in the current user classes root,” the researcher explained. This stripped-down version of the exploit was designed to mitigate the risk of public exploitation, as the original iteration did not necessitate additional user credentials and was not confined to the “usrclass.dat” hive.
Notably, any hive could potentially be loaded using this vulnerability, though the researcher emphasized that it would require a certain level of expertise to execute the PoC effectively. The exploit is particularly significant as it functions across all supported desktop and server versions of Windows, including those updated with the latest July 2026 Patch Tuesday release.
Chaotic Eclipse’s ongoing conflict with Microsoft has been marked by a series of disclosures since April 2026, with the researcher revealing multiple exploits prior to their patching by the tech giant. This has led to a breakdown in communication, with three vulnerabilities in Microsoft Defender being actively exploited shortly after their public announcement.
Earlier this month, Microsoft addressed another vulnerability in Defender known as RoguePlanet, but subsequent reports indicated that the newly implemented “defense-in-depth updates” could inadvertently cause the software to leak data under specific conditions. Microsoft has acknowledged the issue and is currently investigating the findings related to LegacyHive.
SharePoint Server Flaws in Spotlight
In tandem with these developments, Microsoft has rolled out patches for an unprecedented 622 vulnerabilities, which include two privilege escalation flaws in SharePoint Server (CVE-2026-56164, CVSS score: 5.3) and Active Directory Federation Services (CVE-2026-56155, CVSS score: 7.8). Both vulnerabilities have been identified as actively exploited threats.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included these vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies implement the necessary fixes by July 17 and July 28, 2026, respectively.
Adam Barnett, lead software engineer at Rapid7, commented on the situation, stating, “After years of relative stability, the Patch Tuesday process has experienced significant turbulence so far in 2026.” He attributed this instability to the rapid increase in vulnerability reporting and the emergence of vulnerabilities disclosed in a manner that maximizes discomfort for Microsoft.
CISA has also noted active exploitation of several SharePoint Server vulnerabilities, including CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, which allow cyber threat actors to gain unauthorized access to vulnerable instances. These vulnerabilities affect all supported on-premises SharePoint Server versions, including Subscription Edition, 2019, and 2016, and involve remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys.
Alex Vovk, CEO and co-founder of Action1, provided insight into CVE-2026-56164, explaining that the flaw arises from missing authentication for a critical function. This vulnerability enables attackers to send specially crafted network requests to access functionalities that should require authorization, leading to privilege escalation without prior authentication or user interaction. Internet-facing SharePoint servers are particularly vulnerable, as the attack can be executed remotely without valid credentials.
Additionally, the July 2026 update addresses another critical SharePoint Server security feature bypass vulnerability (CVE-2026-55040, CVSS score: 9.1). This flaw allows a remote unauthenticated attacker to bypass authentication on a vulnerable SharePoint server, enabling them to perform operations as a SharePoint site user or administrator. Rapid7 noted that this vulnerability is linked to several issues in the JWT token validation pipeline, allowing attackers to exploit it and chain it with other vulnerabilities within the authenticated attack surface of the target site.