Critical Windows LegacyHive 0-Day Lets Attackers Gain Admin Access
Key Takeaways A new Windows zero-day vulnerability, dubbed LegacyHive (MSNightmare), allows local privilege escalation. The flaw abuses the User Profile Service (ProfSvc) to enable low-privileged...
Key Takeaways
- A new Windows zero-day vulnerability, dubbed LegacyHive (MSNightmare), allows local privilege escalation.
- The flaw abuses the User Profile Service (ProfSvc) to enable low-privileged users to access and modify administrator registry hives.
- This grants attackers the ability to tamper with admin accounts, hijack application launches, and achieve persistent, admin-level code execution.
- The vulnerability affects all currently supported and fully patched Windows desktop and server editions, with no official fix or CVE assigned by Microsoft yet.
Unpatched Windows Zero-Day LegacyHive Grants Admin Access via User Profile Service
A critical, unpatched zero-day vulnerability in Windows, identified as LegacyHive (MSNightmare), is actively being exploited to achieve local privilege escalation. This flaw leverages the Windows User Profile Service (ProfSvc) to allow attackers to gain administrative access, manipulate administrator accounts, and execute code with elevated privileges.
Table Of Content
How LegacyHive Exploits the User Profile Service
LegacyHive specifically targets the Windows User Profile Service, a core component responsible for managing user profiles and their associated registry hives during system logon and logoff. The vulnerability enables a low-privileged user to mount another user’s registry hive—specifically the UsrClass.dat hive—into their own HKEY_CLASSES_ROOT. This effectively exposes the target user’s application data and configuration, making it appear as if it belongs to the attacker’s session.
The public proof-of-concept (PoC) for this vulnerability, detailed on the MSNightmare GitHub account describes the issue as a “Windows user profile service arbitrary hive load elevation of privileges vulnerability.”
Demonstrated Impact and Privilege Escalation
Security researcher Will Dormann illustrated the practical implications of LegacyHive. By executing LegacyHive.exe with the credentials of a second standard user, targeting a specified administrator account, and then launching regedit.exe as that second user, Dormann showed that the non-admin user could directly access the administrator’s Classes registry hive.
While read-only access to UsrClass.dat alone doesn’t immediately expose sensitive data like password hashes, it provides a powerful primitive for attack. A non-admin can modify an administrator’s classes registry hive, fundamentally altering how that administrator’s account launches applications or handles COM objects.
Dormann further demonstrated this by changing the .txt file association within an administrator’s hive to launch calc.exe instead of a standard text editor. This highlights how arbitrary code can be injected into an administrator’s workflow. More dangerously, an attacker could overwrite COM objects or shell extensions configured to load automatically upon administrator login. This turns the compromised hive into a persistent mechanism for code execution that runs with admin privileges during a normal sign-in, making such activity appear legitimate to endpoint detection and response (EDR) tools.
Technical Details and Microsoft’s Response
The public PoC released by NightmareEclipse is a stripped-down version, requiring credentials for an additional standard user and limiting its scope to the UsrClass.dat hive. The researcher claims the full exploit does not require additional user credentials and can coerce ProfSvc to load any hive, potentially achieving kernel-level impersonation as NT AUTHORITYSYSTEM, significantly broadening the vulnerability’s impact.
Despite Microsoft’s July 2026 Patch Tuesday addressing numerous CVEs, LegacyHive reportedly remains effective on all currently supported and fully patched Windows desktop and server editions. At the time of disclosure, no CVE has been assigned, and no dedicated security bulletin has been released.
Microsoft has acknowledged the issue, stating it is “aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims.” However, an official fix is not yet available.
Early reverse-engineering, utilizing tools like Process Monitor, indicates that LegacyHive exploits how ProfSvc resolves and opens the target user’s UsrClass.dat through the Windows Object Manager and registry hive loading routines. Dormann observed that initial attempts to open the target admin’s hive with low-privileged credentials result in an ACCESS DENIED error. However, a subsequent retry under an impersonated NT AUTHORITYSYSTEM context succeeds, leaving the hive mounted and accessible to the attacker-controlled user.
This behavior aligns with historical Windows vulnerabilities where kernel-mediated impersonation and race conditions on file or registry operations can be abused to achieve SYSTEM-level effects. LegacyHive appears to repurpose this pattern against ProfSvc, creating an unpatched local privilege escalation vector through arbitrary hive loading.
Since LegacyHive is a local, post-compromise vulnerability, attackers must already have initial access to a Windows system and at least one non-admin account to exploit it. Once exploited, however, it provides a direct path to compromise higher-privileged users and escalate privileges.
What You Should Do
- Restrict Local Login: Limit local login capabilities for privileged accounts as much as possible.
- Segment Admin Workstations: Isolate administrative workstations from standard user environments to contain potential breaches.
- Enhance Monitoring: Implement heightened monitoring for unusual registry hive modifications and changes to COM/object registration within administrator profiles.
- Assume Compromise: Treat any system where NightmareEclipse tools, including LegacyHive or prior RoguePlanet/Defender exploits, are detected as potentially compromised.
- Stay Updated: Monitor official Microsoft channels for a forthcoming patch and apply it immediately upon release.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.