Hours after Microsoft closed out its record-breaking July 2026 Patch Tuesday, the researcher operating as Nightmare Eclipse (also tracked as Chaotic Eclipse) published LegacyHive, a working proof-of-concept against the Windows User Profile Service (ProfSvc). The PoC lets a standard, unprivileged user mount another local account’s registry hive — including an administrator’s — into their own logon session. It runs against every currently supported Windows desktop and server release, including systems fully patched through the July 2026 cumulative update. There is no CVE, no Microsoft advisory, and no fix.
This is the researcher’s seventh public zero-day PoC since April 2026, part of an openly adversarial campaign against Microsoft’s vulnerability-disclosure and bug-bounty handling. Previous drops from the same actor — BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma, and RoguePlanet — targeted Windows Defender’s Malware Protection Engine; LegacyHive is the first from this campaign to hit a different subsystem entirely, and several of the earlier releases were confirmed exploited in the wild within 24 hours of publication.
How it works
ProfSvc is responsible for loading and unloading user registry hives (NTUSER.DAT, UsrClass.dat) as accounts log on and off. LegacyHive abuses CreateProcessWithLogonW with dwLogonFlags set to LOGON_WITH_PROFILE: the call authenticates a second, attacker-supplied set of credentials, and Windows dutifully loads that account’s hives into the resulting logon context. The exploit binary captures the target’s ntuser.dat into memory as it loads, then works to persist and read that hive data — including an administrator’s — from within the low-privileged attacker session.
The published PoC requires a second set of valid credentials (which can belong to any account, including an admin) and is currently scoped to UsrClass.dat only. The researcher has stated the original, non-public version of the exploit needed no secondary credentials and was not limited to a single hive file — meaning the released code is a deliberately weakened demonstration, not the full capability.
Impact
Even in its stripped-down public form, LegacyHive exposes another user’s UsrClass.dat — COM/shell class registrations, Explorer and shell-extension history, recently-run application data, and other artifacts that routinely leak credentials, file paths, and forensic detail. Against an administrator or service account, that disclosure is a stepping stone to further privilege escalation on a box the attacker already has a foothold on. Because the underlying primitive is arbitrary hive loading via a documented Win32 API rather than a memory-corruption bug, it doesn’t trip the usual exploit-mitigation tooling (CFG, ASLR, etc.) and isn’t addressed by any existing July 2026 patch.
Any environment where multiple standard users share a host — Windows Server RDS/terminal-server deployments, shared workstations, VDI pools, jump boxes — is in scope. Single-user endpoints with no secondary local credentials available to an attacker are lower risk but not immune, since the researcher has hinted the unreleased version drops the second-credential requirement entirely.
Mitigation
With no patch available, defenders are limited to detection and hardening:
- Restrict local account creation. The public PoC needs a second set of standard-user credentials; limiting who can create local accounts (and auditing existing ones) raises the bar.
- Monitor for the process pattern. Watch for
CreateProcessWithLogonWcalls usingLOGON_WITH_PROFILEcombined withCREATE_SUSPENDED, launching a common system binary, in close temporal proximity to reads/writes ofC:\Users\*\ntuser.datandC:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.datfor a user account other than the process owner. - Tighten RDS/VDI/shared-host exposure. Treat any multi-user Windows host as higher risk until a fix ships; consider isolating administrative logons from shared terminal-server sessions.
- Track MSRC output. Microsoft has previously assigned CVEs and shipped fixes for this researcher’s prior drops (e.g., CVE-2026-33825 for BlueHammer, CVE-2026-50656 for RoguePlanet) within one to a few weeks of disclosure — expect the same cadence here, but do not wait on it as your only control.
Given this actor’s track record, treat public availability of working exploit code as a strong leading indicator of in-the-wild use, not a hypothetical risk.
Sources: The Hacker News, The Register, SecurityWeek, Rescana, exploit source at github.com/MSNightmare/LegacyHive.