The Hacker News

Top story

Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday

Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) has released a new proof-of-concept (PoC) exploit called LegacyHive. It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability. The Windows User Profile Service, also referred to as ProfSvc, is a core system component that manages user accounts and environments. "The PoC requires

Jul 15, 2026, 11:07 AMBy info@thehackernews.com (The Hacker News)6 min readcybersecurity
Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday

Security researcher Chaotic Eclipse (aka Nightmare-Eclipse ) has released a new proof-of-concept (PoC) exploit called LegacyHive. It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability.

The Windows User Profile Service, also referred to as ProfSvc, is a core system component that manages user accounts and environments. "The PoC requires another standard user credential and a third username (which can be an administrator account)," Chaotic Eclipse said .

"If the PoC is successful, it will end up mounting the target user hive in the current user classes root." The researcher said the exploit was stripped down to prevent public exploitation, adding the original exploit did not require additional user credentials and was not limited to the "usrclass. dat" hive.

"Any hive could be loaded using this vulnerability, but you would need some brain cells to make the PoC do it," the researcher noted. What makes it notable is that it's functional on all supported desktop and server versions of Windows, including those running the latest July 2026 Patch Tuesday update.

Chaotic Eclipse and Microsoft have been locked in a heated dispute since at least April 2026, with the researcher releasing details of multiple exploits before the Windows maker had a chance to patch them, citing a breakdown in communication.

Three of the vulnerabilities in Microsoft Defender came under active exploitation shortly after public disclosure. Earlier this month, the tech giant released security updates for another Defender vulnerability known as RoguePlanet that was disclosed by the researcher.

However, it emerged that the newly introduced "defense-in-depth updates" to address the flaw can cause Microsoft Defender to leak 8 bytes of data when attempting to open a file in certain scenarios. Microsoft told The Hacker News that it's investigating the new report.

When reached for comment, a Microsoft spokesperson said it's investigating the new vulnerability and that it's committed to updating impacted products to safeguard customers.

"Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims," the spokesperson said. "Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible.

Importantly, we support coordinated vulnerability disclosure , an industry standard that protects customers and supports the research community by ensuring their findings are thoroughly investigated and addressed before being made public."

The development comes as Microsoft shipped patches for a record 622 flaws , including two privilege escalation shortcomings in SharePoint Server (CVE-2026-56164, CVSS score: 5. 3) and Active Directory Federation Services (CVE-2026-56155, CVSS score: 7. 8) that have been flagged as actively exploited. The U. S.

Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, which mandates that Federal Civilian Executive Branch (FCEB) agencies apply the fixes by July 17 and July 28, 2026, respectively.

"After years of relative stability, the Patch Tuesday process has experienced significant turbulence so far in 2026," Adam Barnett, lead software engineer at Rapid7, said in a statement.

"As well as the AI-fuelled exponential growth of vulnerability reporting and discovery, Microsoft is grappling with the emergence of a series of vulnerabilities disclosed in such a way as to bring maximum discomfort for Redmond."

In a separate advisory, the agency said it's aware of active exploitation of multiple SharePoint Server flaws, including CVE-2026-32201 , CVE-2026-45659 , and CVE-2026-56164, that enable cyber threat actors to gain unauthorized access to susceptible instances.

"These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware," CISA said.

"The flaw stems from missing authentication for a critical function, enabling an attacker to reach functionality that should require authorization," Alex Vovk, CEO and co-founder of Action1, said about CVE-2026-56164.

"An attacker can send specially crafted network requests to access functionality that should require authentication, resulting in privilege escalation. The vulnerability primarily impacts system integrity by allowing unauthorized actions without requiring prior authentication or user interaction.

Internet-facing SharePoint servers are particularly exposed because the attack can be performed remotely without valid credentials." It's worth noting that the July 2026 update also addresses another critical SharePoint Server security feature bypass vulnerability ( CVE-2026-55040 , CVSS score: 9.

1) that a remote unauthenticated attacker could exploit to bypass authentication on a vulnerable SharePoint server and perform operations as a SharePoint site user or administrator. "The vulnerability is due to several issues in the JWT token validation pipeline," Rapid7 said .

"An attacker who successfully exploits CVE-2026-55040 can perform operations against the target SharePoint site as the user they identify as. Furthermore, this authentication bypass can be chained to additional vulnerabilities within the authenticated attack surface of the target site."

In a post on Mastodon, researcher Kevin Beaumont said the LegacyHive exploit works and isn't patched. Security researcher Will Dormann said LegacyHive grants a non-admin user the ability to modify the classes registry hive of an administrator user, calling it a "pretty powerful primitive."

"For example, as a novelty, we can associate . txt files to open with calc. exe," the researcher added . "Clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don't even require user interaction."

ThreatLocker said the PoC mounts a target user's UsrClass. dat hive with read access into another user account, which provides access to a wide range of application data, Windows Explorer history, and forensic artifacts.

"As addressed in the project README, the final impact of this PoC is not immediately exploitable and does not directly reveal password hashes or allow privileged code execution in itself, but it does highlight the vulnerability clearly: Path resolution through Object Manager can be abused to load administrator hives as a non-privileged user," the cybersecurity company said .

In a follow-up analysis, Cyderes Howler Cell described LegacyHive as an abuse of the profile loading logic that causes Windows to load an unintended UsrClass. dat hive into a different user's HKU\<SID>_Classes namespace.

It also pointed out that the released PoC requires valid credentials for a second local user and the username of a target account.

The entire sequence of actions undertaken by the PoC is as follows - "The technique chains three mechanisms: offline modification of a registry hive, Object Manager symbolic link redirection, and a synchronized profile load.

Together, they steer the profile load path to a hive the attacker controls," security researchers Reegun Jayapaul and Baskar M said . "The result is cross-user hive redirection. A target user's UsrClass.

dat ends up mounted inside a low-privileged user's registry namespace, giving that user access to registry data that should be out of reach."

With the release of LegacyHive, Chaotic Eclipse has released nine Windows exploits with no coordinated disclosure: BlueHammer, UnDefend, RedSun, RoguePlanet, YellowKey, GreatXML, GreenPlasma, and MiniPlasma. "NightmareEclipse has shipped nine t

Continue with the publisher

Read the original source after the immersive in-app article experience.

Read on source site
Loading...