Critical Windows 10, 11, and Server Zero-Day: ‘LegacyHive’ Exploit Enables Privilege Escalation via User Profile Service Vulnerability – Rescana
Executive Summary
On July 15, 2026, the security researcher known as Nightmare Eclipse (also referred to as Chaotic Eclipse) publicly released a proof-of-concept (PoC) exploit named LegacyHive, targeting a previously unknown Windows zero-day vulnerability. This vulnerability resides in the Windows User Profile Service (ProfSvc) and enables arbitrary registry hive loading, which can facilitate privilege escalation and unauthorized cross-user data access. Critically, this flaw affects all supported versions of Windows 10, Windows 11, and Windows Server (2016, 2019, and 2022), including those fully patched as of the July 2026 Patch Tuesday. The exploit was released mere hours after Microsoft’s monthly security updates, which addressed over 600 CVEs, and has been independently verified to function on fully patched systems. While the released PoC is intentionally limited, it demonstrates a dangerous primitive that could be weaponized for more severe attacks, including privilege escalation and persistent compromise.
Threat Actor Profile
Nightmare Eclipse is a pseudonymous security researcher with a history of high-impact vulnerability disclosures, often focusing on Windows internals and privilege escalation primitives. The actor is known for releasing detailed technical write-ups and PoCs, sometimes in response to perceived delays or inadequacies in vendor patching processes. The release of LegacyHive follows a pattern of public disclosure after unsuccessful or slow vendor engagement, and the actor has previously demonstrated advanced knowledge of Windows kernel and object manager internals. There is no evidence linking Nightmare Eclipse to any known APT group or criminal organization; the motivation appears to be a combination of responsible disclosure advocacy and technical challenge. However, the sophistication of the exploit and the timing of its release (immediately after Patch Tuesday) suggest a deep understanding of both Windows architecture and the vulnerability disclosure ecosystem.
Technical Analysis of Malware/TTPs
The LegacyHive exploit leverages a logic flaw in the Windows User Profile Service (ProfSvc), specifically in the way Windows loads user registry hives during logon. The attack requires credentials for a secondary standard user and a target username (which can be an administrator). The exploit proceeds as follows: first, a temporary directory with a permissive discretionary access control list (DACL) is created under C:\, containing modified copies of ntuser.dat and UsrClass.dat. Using the undocumented APIs NtCreateSymbolicLinkObject and NtCreateDirectoryObjectEx, the attacker creates NT Object Manager directory objects and symbolic links to redirect registry hive loading. The secondary user’s ntuser.dat is then modified to change the HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData value, pointing it to the crafted object manager path. When the secondary user logs in, Windows attempts to load UsrClass.dat from the redirected path, which is manipulated to point to the target user’s hive. An opportunistic lock (oplock) is placed on the decoy hive to pause loading, allowing the exploit to switch symbolic links and ultimately mount the target user’s hive in the attacker’s context.
The impact of this primitive is significant. It allows a non-privileged user to mount and read another user’s (including administrator’s) UsrClass.dat hive, exposing sensitive application data, Windows Explorer history, and forensic artifacts. While the PoC does not directly enable code execution or password hash theft, it provides a powerful foundation for further exploitation, such as manipulating file associations or registry settings for privilege escalation. Attackers could also use this technique to persistently alter user environments or escalate privileges with further development.
Key technical indicators include the use of abnormal Win32 API calls (NtCreateDirectoryObjectEx, NtCreateSymbolicLinkObject, CreateProcessWithLogonW, LogonUser, ImpersonateLoggedOnUser, RegOpenUserClassesRoot, OROpenHiveByHandle, OROpenKey, ORSetValue, ORSaveHive), and the creation of GUID-named folders under C:\ for staging. Notable registry strings include Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders and object manager paths such as \\.\globalroot\BaseNamedObjects\Restricted.
Exploitation in the Wild
As of this report, there is no evidence of widespread exploitation of LegacyHive in the wild. However, the PoC has been independently verified by multiple security researchers to work on fully patched systems. The exploit is not mitigated by any current Microsoft update, and no CVE has been assigned as of July 2026. The PoC is intentionally limited to prevent immediate weaponization, but researchers note that attackers with moderate skill could adapt it for broader registry hive access and more impactful attacks. The primitive is considered highly dangerous and is likely to be adopted by advanced persistent threat (APT) actors and ransomware operators if not promptly addressed. The exploit is particularly attractive for threat actors targeting enterprise, government, and critical infrastructure sectors globally, due to its ability to bypass privilege boundaries on fully patched Windows systems.
Victimology and Targeting
No specific APT group attribution or sector/country targeting has been reported as of July 2026. The exploit’s design and public release make it a high-value tool for any threat actor seeking privilege escalation or lateral movement within Windows environments. The affected products include all supported versions of Windows 10, Windows 11, and Windows Server (2016, 2019, and 2022), with exploitation reportedly less reliable on server editions but plausible with adaptation. Organizations with multi-user Windows systems, especially those with shared or remote desktop environments, are at elevated risk. The exploit’s requirement for secondary user credentials may limit opportunistic attacks but does not preclude use in targeted intrusions where credential theft or social engineering has already occurred.
Mitigation and Countermeasures
Immediate mitigation is challenging due to the lack of an official patch from Microsoft. Organizations should increase monitoring and auditing of user hive files and registry activity. Specifically, monitor for standard-user processes writing to another user’s hive, processes other than normal Windows profile components replacing ntuser.dat, and UsrClass.dat copied outside the user-profile directory. Watch for hive files created in C:\, %TEMP%, %ProgramData%, or other unexpected locations, and for hive files being replaced and restored within seconds. Audit write, delete, permission changes, ownership changes, file replacement, and cross-user access on C:\Users\*\ntuser.dat and C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat.
Relevant Windows Security Event IDs include 4648 (explicit credentials used), 4624 (successful logon), 4688 (process creation), 4663 (object access), and 4657 (registry value modified). Security teams should also look for the presence of notable strings and abnormal API calls as described above. Until a patch is available, consider restricting the use of secondary user accounts on sensitive systems and increasing user awareness regarding credential security. Microsoft is aware of the issue and is investigating; organizations should stay alert for updates and advisories from Microsoft.
References
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, streamline vendor risk assessments, and ensure compliance with evolving regulatory requirements. For more information about how Rescana can help your organization strengthen its cyber resilience, please contact us at info@rescana.com.