LegacyHive: Chaotic Eclipse's fourth Windows zero-day
Researcher 'Chaotic Eclipse' released LegacyHive, a Windows User Profile Service arbitrary-hive-load LPE PoC, hours after July Patch Tuesday. Unpatched.
PoC public. Unpatched. Researcher Chaotic Eclipse (aka Nightmare-Eclipse) released a proof-of-concept called LegacyHive on 2026-07-15, targeting an arbitrary-hive-load local privilege escalation in the Windows User Profile Service (ProfSvc), per The Hacker News. Timing is deliberate — hours after Microsoft’s July Patch Tuesday, the same protest-drop cadence this actor used in April with BlueHammer, RedSun, and UnDefend. Unconfirmed at time of writing: any CVE ID, any MSRC advisory, any observed exploitation in the wild.
Timeline
- 2026-07-14 — Microsoft ships July 2026 Patch Tuesday. 570 CVEs across the release; ProfSvc is not among them.
- 2026-07-15 — Chaotic Eclipse publishes the LegacyHive PoC, per The Hacker News. Windows User Profile Service is characterized as the target; the vulnerability class is arbitrary hive load leading to elevation of privilege.
- Status now — no vendor patch, no CVE assignment we can source, no KEV entry. Confirmed that PoC code is public. Unconfirmed whether the flaw is being exploited in the wild.
What it is, at class level
The Windows User Profile Service loads and manages per-user registry hives at logon. Arbitrary-hive-load bugs in that surface are a well-worn LPE class — an authorized local user tricks a privileged service into loading a hive they control, and gets code execution in the service’s context. This description is deliberately abstract. We do not reproduce the PoC’s mechanics. The primary source has them if you need the depth; go read the vendor advisory when Microsoft publishes one.
What matters operationally: this is local, not remote. An attacker needs an unprivileged foothold on the box first. LPE is a second stage — pair it with initial-access telemetry, not with your perimeter.
Pattern recognition
This is the fourth Chaotic Eclipse zero-day drop we’re tracking:
- BlueHammer — Defender LPE, patched April 2026 as CVE-2026-33825, added to CISA KEV on 2026-04-22, confirmed weaponized in ransomware in July.
- RedSun — Defender LPE, disclosed alongside BlueHammer. Status unconfirmed at last check; verify against MSRC directly.
- UnDefend — Defender definition-update DoS, disclosed alongside BlueHammer. Status unconfirmed at last check; verify against MSRC directly.
- LegacyHive — ProfSvc LPE, disclosed 2026-07-15. Unpatched.
Each of the first three was a protest disclosure aimed at Microsoft’s coordination process. LegacyHive lands in the same pattern — Patch Tuesday ships, PoC drops hours later, no MSRC coordination visible. BlueHammer went from public disclosure to ransomware weaponization inside three months. Same runway is available here.
What to do
- Assume PoC-driven exploitation attempts inside a short window. LegacyHive is a name attackers can search for. Watch for it in your endpoint telemetry and threat feeds.
- Do not deploy the PoC internally as a “test.” LPE PoCs weaponize as easily against your own users as against a lab image. Wait for a vendor patch or a defender-side detection from a security vendor you already trust.
- Watch MSRC daily for a ProfSvc / User Profile Service advisory. If Microsoft assigns a CVE and issues out-of-band, treat it as a real deadline, not a Patch Tuesday item.
- Assume RedSun and UnDefend are still relevant until MSRC confirms otherwise. Same actor, same pattern.
Watching for
- MSRC advisory with a CVE ID for the ProfSvc arbitrary-hive-load flaw. Unconfirmed as of writing.
- CISA KEV entry, once (and if) a CVE ID exists. Unconfirmed.
- Detection signatures from EDR vendors (Huntress, CrowdStrike, SentinelOne) for the LegacyHive PoC or its variants. Unconfirmed.
- Any report of exploitation in the wild. Unconfirmed.
Sourcing
- The Hacker News (2026-07-15): Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday
- Microsoft Security Response Center: msrc.microsoft.com — check for ProfSvc / User Profile Service advisories
- CISA Known Exploited Vulnerabilities catalog: cisa.gov/known-exploited-vulnerabilities-catalog
- Prior coverage: BlueHammer Defender LPE now used in ransomware, Microsoft July Patch Tuesday: 570 CVEs, 3 zero-days
- [ HIGH ] CVE-2026-33825 Microsoft Defender Antimalware Platform Local Privilege Escalation (BlueHammer)
Found this useful? Share it.


