Jul 18, 2026
Policy

New Windows zero-day targets user registry hives after Patch Tuesday

NightmareEclipse published partial LegacyHive exploit code after Microsoft’s July patches, but researchers say the release stops short of full compromise.

Renata Fuchs

By Renata Fuchs · Policy Reporter

· 3 min read

New Windows zero-day targets user registry hives after Patch Tuesday
Photo: The Register

A vulnerability hunter known as NightmareEclipse has published details and partial proof-of-concept code for a new Windows local privilege escalation flaw called LegacyHive. The release matters because it landed just after Microsoft’s July Patch Tuesday, and researchers told The Register that capable attackers may be able to turn the limited code into a more useful exploit.

LegacyHive targets Windows user hives, the parts of the Registry that hold per-user desktop settings, application preferences and environment configuration. According to the published proof of concept, the weakness sits in profsvc, the Windows User Profile Service, and in the way it loads hives. If exploited, it could allow a regular user to mount another user’s hive, including an administrator’s, with privileged read-write access.

The issue is a local privilege escalation, so it does not give an outside attacker initial access by itself. Matei Badanoiu, lead security researcher at Pentest-Tools.com, told The Register the released code is useful mainly after an attacker already has a position on a machine.

“What caught my attention is the difference between what the public proof of concept actually demonstrates and what a full compromise would require,” Badanoiu said. He described LegacyHive as an abuse of arbitrary registry hive loading, allowing a standard user to mount another user’s hive into their own classes root. He added that packaging the technique with credential theft and persistence as a full compromise is “more of an ambition than the released code.”

The public release is more restrained than some earlier NightmareEclipse disclosures. The Register reported that the published proof of concept needs additional user credentials and is limited to the usrclass.dat hive. NightmareEclipse claimed an earlier version did not need extra credentials and worked beyond usrclass.dat, but did not publish that version.

That restraint does not remove the operational risk. Badanoiu noted that earlier NightmareEclipse releases, including BlueHammer and RedSun, moved from proof of concept to broad exploitation within days. LegacyHive currently has no CVE identifier and no complete working exploit in public, according to The Register.

Dray Agha, senior manager of security operations at Huntress, said security teams should still treat the release with urgency. Huntress has seen prior NightmareEclipse local privilege escalation and defense evasion tools adopted quickly by threat actors and ransomware groups after publication, Agha told The Register. He said capable actors are likely to reconstruct missing pieces from the LegacyHive proof of concept and build weaponized versions.

The timing increases pressure on Microsoft. NightmareEclipse published LegacyHive shortly after the company’s July Patch Tuesday, which included 622 fixes. Agha said that timing extends the likely exposure window before Microsoft can prepare and ship a patch. NightmareEclipse claimed the issue affects Windows machines fully updated with July’s fixes.

Microsoft told The Register it is “aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims.” The company said it supports coordinated vulnerability disclosure and is committed to updating affected products to protect customers as soon as possible. Microsoft did not say whether it will issue a fix before August’s scheduled updates.

The company recently issued a quiet mitigation for RoguePlanet, another zero-day previously associated with NightmareEclipse, but did not provide details on what changed.

This story draws on original reporting from The Register.

More from Policy

All Policy →