LegacyHive Windows zero-day gives local users SYSTEM privileges
Researchers known as Nightmare Eclipse or Chaotic Eclipse publicly released LegacyHive, a proof-of-concept exploit for a Windows privilege-escalation flaw affecting the User Profile Service. The technique lets a standard local user mount another user's registry hive, including an administrator's, into their own context and escalate to SYSTEM on fully patched systems. Multiple writeups and detection guides confirmed that the issue affects current Windows desktop and server versions and that the public proof of concept was deliberately timed around July 2026 Patch Tuesday. This matters because it gives attackers a practical post-exploitation path that bypasses the normal trust boundaries between users on the same system. The exploit is especially concerning in multi-user environments, terminal servers, and any endpoint where local privilege escalation can lead to rapid lateral movement. Defenders responded quickly with hunting queries and telemetry guidance, showing how fast a new Windows LPE can become operationally relevant.
Sources
- Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems — Security Affairs
- LegacyHive: Unpatched Windows Privilege Escalation Exploit Publicly Disclosed — Vulnerability – InfoTech News
- LegacyHive Windows user profile service arbitrary hive load elevation of privileges vulnerability — /r/cybersecurity
- KQL Queries for new Chaotic Eclipse Zero day 'Legacy Hive' — /r/cybersecurity


Leave a Reply