Windows LegacyHive Zero‑Day Exploit

Overview

A security researcher known as Nightmare Eclipse has released a proof‑of‑concept (PoC) exploit for a new Windows zero‑day vulnerability dubbed LegacyHive. The flaw affects the Windows User Profile Service and allows attackers to escalate privileges on fully up‑to‑date systems.

How LegacyHive Works

  • The exploit abuses how Windows mounts user registry hives.
  • PoC requirements: it needs credentials for a standard user and a third username (potentially an admin account).
  • If successful, the exploit mounts the target user hive into the current user’s classes root.
  • This enables attackers to modify registry hives and achieve automatic code execution when the admin account logs in.

Security analyst Will Dormann demonstrated that attackers could, for example, associate .txt files to open with calc.exe. More sophisticated attackers could weaponize this for stealthy persistence or privilege escalation without user interaction.

Detection & Confirmation

  • Kevin Beaumont confirmed the exploit works and published detection queries for Microsoft Defender for Endpoint (MDE).
  • Indicators include unusual registry hive modifications and suspicious file associations.

Researcher Background

Nightmare Eclipse has previously disclosed multiple Windows zero‑day exploits, including:

  • RoguePlanet
  • BlueHammer
  • RedSun
  • YellowKey
  • GreenPlasma
  • MiniPlasma
  • UnDefend

Microsoft patched GreenPlasma, MiniPlasma, and YellowKey in June 2026, and RoguePlanet in July’s Patch Tuesday updates.

Microsoft’s Response

Microsoft has warned of potential legal action against individuals engaging in malicious activity that harms customers. Experts believe this statement was directed at Nightmare Eclipse, given the researcher’s repeated public disclosures of unpatched zero‑days.

Defensive Guidance

Until Microsoft issues an official patch and CVE ID:

  • Monitor registry hive activity for unusual modifications.
  • Deploy MDE detection queries to identify exploitation attempts.
  • Restrict standard user privileges to reduce exposure.
  • Educate administrators about the risks of privilege escalation via registry manipulation.

Expert in the Cloud Insight

LegacyHive highlights the fragility of registry‑based privilege boundaries in Windows. Even with added credential requirements, the exploit demonstrates how attackers can chain simple misconfigurations into full admin compromise. For defenders, the lesson is clear: monitor registry activity, apply detection rules, and prepare for rapid patch deployment once Microsoft issues a fix.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.