Full Report
Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) has released a new proof-of-concept (PoC) exploit called LegacyHive. It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability. The Windows User Profile Service, also referred to as ProfSvc, is a core system component that manages user accounts and environments. "The PoC requires
Analysis Summary
Based on the article provided, here is the summary of the vulnerability information.
# Vulnerability: LegacyHive - Windows User Profile Service Arbitrary Hive Load
## CVE Details
* **CVE ID:** Not yet assigned (Identified as a Zero-Day at the time of the report).
* **CVSS Score:** N/A (Severity is high due to Elevation of Privilege capabilities).
* **CWE:** Likely CWE-284: Improper Access Control or CWE-269: Improper Privilege Management.
## Affected Systems
* **Products:** Microsoft Windows.
* **Versions:** All supported desktop and server versions of Windows (including those with the July 2026 updates).
* **Configurations:** Systems running the Windows User Profile Service (ProfSvc).
## Vulnerability Description
The vulnerability, dubbed **LegacyHive**, exists in the Windows User Profile Service (ProfSvc), a core component responsible for managing user environments. The flaw allows for an arbitrary hive load, enabling a user to mount a target user's registry hive into the current user’s `Classes Root`. This bypasses standard isolation between user profiles and can be used to escalate privileges or access sensitive data belonging to other accounts.
## Exploitation
* **Status:** Proof-of-Concept (PoC) available.
* **Complexity:** Medium (The public PoC requires existing standard user credentials and a third target username).
* **Attack Vector:** Local (Requires the ability to execute code on the target system).
## Impact
* **Confidentiality:** High (Ability to read sensitive registry data from other users, including administrators).
* **Integrity:** High (Potential to modify registry settings depending on how the hive is mounted/accessed).
* **Availability:** Low (Primary impact is information disclosure and privilege escalation).
## Remediation
### Patches
* **None currently available.** The researcher noted that the vulnerability remains functional even on systems fully patched as of the July 2026 Patch Tuesday. Users should monitor Microsoft’s official security advisories for an upcoming out-of-band patch or the August update cycle.
### Workarounds
* **Strict Access Control:** Limit the ability of standard users to run arbitrary executables where possible.
* **Principle of Least Privilege:** Ensure that users do not have access to shared credentials that could be used as a secondary factor for the current PoC requirements.
## Detection
* **Indicators of Compromise:** Unusual mounting of registry hives (specifically `UsrClass.dat`) under unauthorized user SID paths in the registry.
* **Detection Methods:** Monitor for suspicious activity originating from the User Profile Service (`ProfSvc.dll` hosted in `svchost.exe`). Audit registry mount events and the creation of unexpected symbolic links in the `\Registry\User` path.
## References
* [hxxps://blog.projectnightcrawler[.]dev/posts/2026-07-14-legacyhive-public-disclosure/]
* [hxxps://thehackernews[.]com/2026/07/researcher-drops-new-windows-zero-day.html]
* [hxxps://git.projectnightcrawler[.]dev/NightmareEclipse/LegacyHive]