Researcher Drops Windows Zero-Day PoC Hours After Microsoft Patch Tuesday
A new proof-of-concept exploit, LegacyHive, targets a Windows User Profile Service vulnerability allowing privilege escalation, released shortly after Microsoft's July Patch Tuesday.

Security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, has released a new proof-of-concept (PoC) exploit named LegacyHive. This exploit targets a critical vulnerability within the Windows User Profile Service (ProfSvc), a core component responsible for managing user accounts and their associated environments. The vulnerability allows for arbitrary hive loading, which can be leveraged to escalate privileges on a compromised system.
The PoC, as described by Chaotic Eclipse, requires existing standard user credentials and a third username, which can be an administrator account, to succeed. Upon successful execution, the exploit mounts the target user's hive file into the current user's classes root. The researcher has intentionally stripped down the public PoC to prevent widespread exploitation, noting that the original exploit was more potent, not requiring additional credentials and not being limited to the "usrclass.dat" hive file.
What makes LegacyHive particularly concerning is its reported functionality across all supported desktop and server versions of Windows. Crucially, the exploit is said to be effective even on systems that have applied Microsoft's latest July 2026 Patch Tuesday security updates. This indicates a potential gap in Microsoft's patching cycle or a sophisticated bypass of the applied security measures.
This release marks another escalation in the ongoing dispute between Chaotic Eclipse and Microsoft, which has been public since at least April 2026. The researcher has a history of disclosing multiple exploits before Microsoft could patch them, citing a breakdown in communication channels. Previously, three vulnerabilities discovered in Microsoft Defender were actively exploited shortly after their public disclosure by the researcher.
Earlier in July, Microsoft released security updates for another Defender vulnerability, dubbed RoguePlanet, which was also disclosed by Chaotic Eclipse. However, reports emerged that the "defense-in-depth updates" intended to fix RoguePlanet could inadvertently cause Microsoft Defender to leak 8 bytes of data under specific file-opening scenarios. Microsoft has stated it is investigating this new report.
The broader context of Microsoft's July 2026 Patch Tuesday is significant, as it addressed a record number of vulnerabilities, including actively exploited flaws in SharePoint Server and Active Directory Federation Services. CISA has added these to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply the patches promptly. Experts note that the Patch Tuesday process has seen unusual turbulence in 2026, partly due to an increase in vulnerability reporting and disclosures designed to cause maximum disruption.
While Microsoft has not yet officially commented on LegacyHive, the company is known to be investigating the matter. The situation highlights the persistent challenges in securing complex operating systems like Windows and the cat-and-mouse game between security researchers, exploit developers, and software vendors.
The newly disclosed "LegacyHive" zero-day vulnerability, targeting the Windows User Profile Service, has been detailed further. While the initial proof-of-concept (PoC) code released by the researcher known as Nightmare Eclipse is limited and requires additional credentials, it is understood that a more advanced, unreleased version does not have these limitations. Security experts caution that sophisticated threat actors could rapidly develop fully weaponized exploits from the published code, despite the deliberate obfuscation.