Microsoft: New LegacyHive Windows 0-day Vulnerability Allows Users to Load Another User’s Registry

Microsoft: New LegacyHive Windows 0-day Vulnerability Allows Users to Load Another User’s Registry

LegacyHive PoC Exploit Exposes Windows Privilege Escalation Vulnerability

A new proof-of-concept (PoC) exploit, LegacyHive, has been released, targeting a Windows elevation-of-privilege vulnerability in the User Profile Service. The exploit allows a standard user to load another user’s registry hive under their own registry classes root, potentially enabling unauthorized access or privilege escalation.

Registry hives store critical configuration data for Windows, applications, and user profiles. If improperly accessed, they can expose sensitive settings that affect software execution, COM object resolution, and file handling. The LegacyHive PoC, published by security researcher Nightmare-Eclipse, claims compatibility with all supported Windows desktop and server versions that have received the July 2026 security updates.

The publicly released version of the exploit is intentionally restricted to mitigate immediate abuse, requiring credentials for a second standard user and the username of a third account potentially an administrator. However, the original technique did not impose these limitations and could load arbitrary hives, including UsrClass.dat, which contains file associations, shell settings, and COM configurations.

If successfully executed, the exploit mounts the target account’s user hive within the attacker’s registry context. This could allow threat actors to identify additional privilege escalation paths based on local system configurations and accessible registry data. Despite its severity, the vulnerability currently lacks a CVE identifier, Microsoft advisory, or official patch.

The disclosure suggests that routine monthly updates may not fully address the issue, as the PoC remains functional on systems patched as recently as July 2026. Security teams are advised to restrict local access to trusted users, monitor for unusual profile-loading activity, and review endpoint telemetry for unauthorized access to registry files like NTUSER.DAT and UsrClass.dat.

The release underscores the persistent risks of local Windows privilege-escalation flaws, particularly those affecting core services responsible for managing user profile data.

Source: https://cybersecuritynews.com/legacyhive-windows-0-day-vulnerability/

Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security

"id": "mic1784096635",
"linkid": "microsoft-security",
"type": "Vulnerability",
"date": "7/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'All users of supported Windows '
                                              'desktop and server versions',
                        'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Microsoft Windows',
                        'type': 'Operating System'}],
 'attack_vector': 'Local Access',
 'data_breach': {'file_types_exposed': ['NTUSER.DAT', 'UsrClass.dat'],
                 'sensitivity_of_data': 'High (contains critical system and '
                                        'user configuration data)',
                 'type_of_data_compromised': 'Registry hive data (file '
                                             'associations, shell settings, '
                                             'COM configurations, user profile '
                                             'settings)'},
 'description': 'A new proof-of-concept (PoC) exploit, *LegacyHive*, has been '
                'released, targeting a Windows elevation-of-privilege '
                'vulnerability in the User Profile Service. The exploit allows '
                'a standard user to load another user’s registry hive under '
                'their own registry classes root, potentially enabling '
                'unauthorized access or privilege escalation. The publicly '
                'released version is restricted to mitigate abuse but could '
                'still allow threat actors to identify additional privilege '
                'escalation paths.',
 'impact': {'operational_impact': 'Potential unauthorized access, privilege '
                                  'escalation, and exposure of sensitive '
                                  'registry data',
            'systems_affected': 'All supported Windows desktop and server '
                                'versions (as of July 2026 updates)'},
 'lessons_learned': 'The incident underscores the persistent risks of local '
                    'Windows privilege-escalation flaws, particularly those '
                    'affecting core services responsible for managing user '
                    'profile data.',
 'motivation': 'Proof-of-Concept Demonstration',
 'post_incident_analysis': {'corrective_actions': 'Apply patches once '
                                                  'available, restrict local '
                                                  'access, and enhance '
                                                  'monitoring',
                            'root_causes': 'Unpatched vulnerability in Windows '
                                           'User Profile Service allowing '
                                           'unauthorized registry hive '
                                           'loading'},
 'recommendations': 'Restrict local access to trusted users, monitor for '
                    'unusual profile-loading activity, review endpoint '
                    'telemetry for unauthorized access to registry files, and '
                    'apply patches once available.',
 'references': [{'source': 'Nightmare-Eclipse (Security Researcher)'}],
 'response': {'containment_measures': 'Restrict local access to trusted users, '
                                      'monitor for unusual profile-loading '
                                      'activity, review endpoint telemetry for '
                                      'unauthorized access to registry files',
              'enhanced_monitoring': 'Review endpoint telemetry for '
                                     'unauthorized access to registry files '
                                     'like *NTUSER.DAT* and *UsrClass.dat*'},
 'threat_actor': 'Nightmare-Eclipse (Security Researcher)',
 'title': 'LegacyHive PoC Exploit Exposes Windows Privilege Escalation '
          'Vulnerability',
 'type': 'Privilege Escalation',
 'vulnerability_exploited': 'Windows User Profile Service Registry Hive '
                            'Loading'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.