Researcher Drops 9th Windows Zero-Day

Governance & Risk Management
,
Patch Management

LegacyHive Is a Local Privilege Escalation Bug

Researcher Drops 9th Windows Zero-Day
Image: Shutterstock

The vulnerability hunter in a feud with Microsoft released yet another Windows zero-day Tuesday as promised, though the touted “bone-shattering” disclosure was stripped down to prevent public exploitation.

See Also: The End of Plausible Deniability: Data Privacy Compliance in 2026

The local privilege escalation flaw, dubbed LegacyHive by researcher NightmareEclipse, could allow a non-privileged user to modify other users’ login-specific desktop settings, application preferences and environment configurations by exploiting the Windows user profile services registry hives.

It is the ninth vulnerability the disgruntled researcher has released in three months. It landed hours after Microsoft’s July Patch Tuesday, where the company disclosed 622 CVEs, more than tripling the previous record set in June.

“Publishing after Patch Tuesday widens the period before a fix may arrive, while withholding parts of the exploit only delays weaponization by capable attackers,” said Jason Soroko, senior fellow at certificate management firm Sectigo.

The crux of the vulnerability is a race condition in profile loading that could allow an attacker to load a targeted user’s hive, such as an administrator’s, into a threat actor-controlled context, said Mayuresh Dani, researcher at security firm Qualys.

Unlike previous releases, NightmareEclipse published a censored version of the proof-of-concept. “The PoC was stripped down as an attempt to prevent public exploitation, the original PoC did not require additional user credential and was not limited to usrclass.dat hive, any hive could be loaded using this vulnerability but you would need some brain cells to make the PoC do it,” NightmareEclipse said on GitHub.

“In its current state the PoC edits the hive offline and swaps the file on disk,” Dani said. “It does not modify the live registry through the normal APIs.”

Privilege escalation is rarely the end goal but rather a stepping stone to subsequent attacks.

“The released PoC requires an existing foothold and added credentials, but access to another user’s registry hive could support credential theft, persistence, or a broader attack chain,” Soroko said. “Its value lies in what an attacker can build around it, not what the published code does alone.”

The fallout between the researcher and Microsoft has introduced many risks. NightmareEclipse’s previous disclosures – RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, MiniPlasma, GreatXML and RoguePlanet – all came with full-fledged PoC, many resulting in active exploitation before Microsoft could remediate.

Microsoft’s Patch Tuesday this month includes fixes for three zero-days, one of which possibly addresses a vulnerability NightmareEclipse disclosed on June 10, a day after Patch Tuesday in June, said Adam Barnett, software engineer at security firm Rapid7.

Although Microsoft attributed the patch to an anonymous source for Windows BitLocker Security Feature Bypass Vulnerability, CVE-2026-50661, the fix seems to remediate GreatXML, Barnett said.

So far, there is no CVE or patch for the newly disclosed vulnerability. Given the researcher’s track record of releasing PoCs that lead to exploitation, organizations should hunt for signs of abuse rather than wait for a patch, said Bradley Smith, deputy CISO at identity security provider BeyondTrust.

“It is observable if you are watching: unexpected hive loads, symbolic-link redirection in the object namespace, oplock activity during profile initialization,” Smith said.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *