LegacyHive: unpatched Windows LPE zero-day, PoC public
Researcher Nightmare Eclipse dropped LegacyHive — an unpatched Windows User Profile Service LPE — hours after July Patch Tuesday. No CVE, PoC on GitHub.
Confirmed: a researcher operating under the Nightmare Eclipse handle released a Windows local-privilege-escalation zero-day dubbed LegacyHive on July 17, 2026 — hours after Microsoft shipped its July Patch Tuesday, which included three zero-days but not this one. No CVE assigned. No vendor fix. Public proof-of-concept on GitHub. Confidence on the release, the target, and the mechanism below: as-reported by BleepingComputer, corroborated by Kevin Beaumont.
What is confirmed
- Vulnerability class: local privilege escalation via the Windows User Profile Service.
- Mechanism: the exploit abuses how the service handles the per-user classes registry hive — usrclass.dat — and, per the researcher’s own description quoted in the writeup, ends up “mounting the target user hive in current user classes root.” From that primitive the attacker can plant registry state that runs as the target account when it next logs in — automatic code execution when an admin logs into a compromised system.
- Preconditions: the attacker needs an existing standard-user session on the box plus a second standard-user credential and a third username (which can be an administrator’s). This is not a remote unauthenticated flaw. It is a foothold escalator — the kind that turns commodity malware or a phished workstation into SYSTEM.
- Impact on fully patched systems: confirmed against up-to-date Windows builds. The Patch Tuesday cycle that shipped hours earlier did not close it.
- PoC state: public on GitHub. The researcher describes it as “stripped down as an attempt to prevent public exploitation,” and Kevin Beaumont has independently confirmed the exploit is functional.
- Detection: Beaumont has published Microsoft Defender for Endpoint advanced-hunting queries covering the abuse pattern. Defenders running MDE should ingest those before end of day.
What is not confirmed
- CVE assignment. None yet. BleepingComputer’s line: the flaw “has yet to receive a CVE ID for easier tracking.” Track this piece against the researcher name until Microsoft or MITRE issues one.
- In-the-wild exploitation. No telemetry of active use in criminal or state campaigns has been published as of this filing. Unconfirmed — treat accordingly. A public PoC dropped hours after a patch window is the setup for exploitation to appear, not proof it has.
- Microsoft’s timeline. The company has not commented publicly on when — or whether — a fix ships out-of-band. The next scheduled Patch Tuesday is August 11, 2026. Whether LegacyHive holds until then or forces an out-of-band update is Microsoft’s call, and Microsoft has not made it in public yet.
- Affected Windows versions in detail. The disclosure names “up-to-date Windows” without a specific build matrix. Whether Server 2025, Server 2022, Windows 11 24H2, and Windows 10 22H2 ESU are all affected identically is not specified in the public writeup. Assume yes until Microsoft says otherwise; that is a defensive posture, not a confirmed claim.
Why the timing matters
Dropping a zero-day PoC in the hours after a vendor’s monthly patch window is a specific choice. It maximizes the window before a fix ships — 28 days minimum, until the August 11 Patch Tuesday, assuming no out-of-band release. That window is how these things get monetized: commodity loader authors bolt an LPE onto their existing initial-access primitives, and the pattern repeats until Microsoft ships.
The same pattern ran twice already this month on the Microsoft stack — the SharePoint CVE-2026-58644 deserialization RCE and the Rapid7 SharePoint JWT auth-bypass chain. Different products, same principle: a public technical write-up plus a working primitive is the starting gun.
What defenders can do without a patch
- Ingest the Kevin Beaumont MDE hunting queries. They cover the specific hive-mount abuse pattern the exploit relies on. This is the near-term detection story until Microsoft ships.
- Assume standard-user compromise means SYSTEM. LegacyHive turns a non-admin foothold into full-machine code execution the next time an admin logs in. Where standard users share hosts with admin accounts — jump boxes, help-desk shared workstations, DevOps utility boxes — treat the trust model as broken until patched.
- Do not lean on “the account is not admin.” For the class of intrusion this belongs to, that is no longer a control.
- Track this thread through the August 11 Patch Tuesday. If a fix ships out-of-band before then, it means Microsoft is seeing exploitation. If it holds to August, it means Microsoft is not — yet.
This piece will be updated when Microsoft comments publicly, when a CVE is assigned, or when in-the-wild exploitation is confirmed by a named vendor.
Sources
- BleepingComputer: New Windows LegacyHive zero-day exploit grants hackers admin access — July 17, 2026.
- Microsoft July 2026 Patch Tuesday coverage: Microsoft July Patch Tuesday: 570 CVEs, 3 zero-days out — no fix for LegacyHive in this cycle.
Confidence: mechanism and PoC availability as-reported and independently corroborated. In-the-wild exploitation: unconfirmed. CVE assignment: pending.
Found this useful? Share it.


