New Windows LegacyHive zero-day gives hackers admin privileges
A security researcher has released a Windows zero-day exploit dubbed LegacyHive that allows attackers to escalate privileges on up-to-date Windows systems. The exploit abuses a security vulnerability in the Windows User Profile Service, which has yet to receive a CVE ID f…
Intelligence analysis by Llama

A security researcher has released a Windows zero-day exploit that allows attackers to escalate privileges on up-to-date Windows systems. The exploit requires additional credentials and has been modified to prevent public exploitation.
Imagine you have a super powerful tool that can help you do things on a computer that you're not supposed to do. A security researcher has released a tool like this, called LegacyHive, that can help hackers get admin privileges on Windows computers. This means they can do things like steal data or install malware. The good news is that the researcher has made it harder for hackers to use this tool, but it's still a big problem that needs to be fixed.
Analysis
A New Windows Zero-Day Exploit Emerges
A security researcher using the handle Nightmare Eclipse has released a Windows zero-day exploit dubbed LegacyHive that allows attackers to escalate privileges on up-to-date Windows systems. The exploit abuses a security vulnerability in the Windows User Profile Service, which has yet to receive a CVE ID for easier tracking.
Unlike previous exploits released by Nightmare Eclipse, the LegacyHive PoC has been modified to require additional credentials, making it harder for attackers to weaponize the vulnerability. The PoC requires another standard user credentials and a third username (which can be an administrator account), if the PoC is successful, it will end up mounting the target user hive in current user classes root.
As Will Dormann, principal vulnerability analyst at Tharros, explained after testing the LegacyHive exploit, successful exploitation would allow non-admin users to modify the classes registry hive and gain automatic code execution when the admin account logs into a compromised system. Dormann noted that clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don't even require user interaction.
The Implications of LegacyHive
The LegacyHive exploit has significant implications for Windows users, particularly those who use up-to-date systems. The exploit allows attackers to gain admin privileges, which could lead to a range of malicious activities, including data theft, ransomware attacks, and other types of cyber threats.
Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims. Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible.
The Road Ahead
In recent months, Nightmare Eclipse has disclosed zero-day exploits for multiple Windows vulnerabilities in Microsoft Defender, BitLocker, and various Windows components. Microsoft fixed the GreenPlasma, MiniPlasma, and YellowKey flaws last month as part of the June 2026 Patch Tuesday updates and the RoguePlanet vulnerability in the July security updates.
Microsoft responded to Nightmare Eclipse's disclosures with warnings of legal action against people engaging in 'malicious activity causing real harm to our customers,' prompting cybersecurity experts to believe the company was directly threatening the security researcher.
Key points
- A security researcher has released a Windows zero-day exploit dubbed LegacyHive that allows attackers to escalate privileges on up-to-date Windows systems.
- The exploit abuses a security vulnerability in the Windows User Profile Service, which has yet to receive a CVE ID for easier tracking.
- The PoC requires additional credentials and has been modified to prevent public exploitation.
- Successful exploitation would allow non-admin users to modify the classes registry hive and gain automatic code execution when the admin account logs into a compromised system.
- Microsoft is aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims.
If this development plays out positively, Microsoft may be able to fix the vulnerability quickly and prevent hackers from exploiting it. This could lead to a safer Windows environment for users.
If the vulnerability is not fixed quickly, hackers may be able to exploit it and gain admin privileges on Windows computers. This could lead to a range of malicious activities, including data theft and ransomware attacks.



