Critical LegacyHive Windows 0-Day Lets Attackers Load Other User Registries
Key Takeaways A new proof-of-concept exploit, “LegacyHive,” targets a Windows User Profile Service vulnerability. This 0-day flaw allows a standard user to load another user’s...
Key Takeaways
- A new proof-of-concept exploit, “LegacyHive,” targets a Windows User Profile Service vulnerability.
- This 0-day flaw allows a standard user to load another user’s registry hive, potentially including administrator profiles.
- The exploit works on all supported Windows desktop and server versions, even those with July 2026 security updates.
- No CVE, official Microsoft advisory, or patch is currently available for LegacyHive.
New Windows 0-Day, LegacyHive, Allows Registry Hive Loading for Privilege Escalation
A significant new proof-of-concept (PoC) exploit, dubbed LegacyHive, has emerged, exposing a critical elevation-of-privilege vulnerability within the Windows User Profile Service. This 0-day flaw enables a standard user to load the registry hive of another user account under their own registry classes root, presenting a clear path for local privilege escalation.
Table Of Content
- Key Takeaways
- New Windows 0-Day, LegacyHive, Allows Registry Hive Loading for Privilege Escalation
- Understanding Registry Hives and the Vulnerability
- LegacyHive’s Scope and Current Limitations
- Potential Impact of Successful Exploitation
- Lack of Official Response and Mitigation Recommendations
- What You Should Do
Understanding Registry Hives and the Vulnerability
Registry hives are fundamental files within Windows that store crucial configuration data for the operating system, its services, various applications, and individual user profiles. The integrity and proper handling of these files are paramount to system security. Should these hives be improperly loaded or exposed, it can lead to unauthorized access or, as demonstrated by LegacyHive, privilege escalation.
The LegacyHive PoC, as described in its GitHub repository, targets a “Windows user profile service arbitrary hive load elevation of privileges vulnerability.” This issue permits a less privileged user to manipulate how the system loads registry data belonging to other users, including those with elevated permissions.
LegacyHive’s Scope and Current Limitations
Security researcher Nightmare-Eclipse released the LegacyHive PoC, claiming its effectiveness across all currently supported Windows desktop and server versions, even those that have installed the security updates scheduled for July 2026. This broad compatibility underscores the severity of the flaw, indicating that routine patching may not address it.
Notably, the publicly released PoC has been deliberately constrained by Nightmare-Eclipse to mitigate immediate widespread abuse. The current version requires credentials for a second standard user account and the username of a third account, which could be an administrator. The repository itself was established shortly before the public release, with the PoC source code and documentation made available approximately 11 hours prior to its public accessibility. The project operates under an MIT License.
The researcher indicated that the original, unrestricted technique did not necessitate additional user credentials and was not limited to the UsrClass.dat hive. This specific hive typically houses file associations, shell settings, COM configurations, and application-class settings. The researcher indicated that the initial exploit could load arbitrary hives, but the public release was simplified.
Potential Impact of Successful Exploitation
Upon successful execution, the target account’s user hive is mounted within the current user’s classes registry location. This capability is highly sensitive from a security perspective because registry hives contain values that dictate how Windows launches software, resolves COM objects, manages file types, and applies user-specific settings. By manipulating the loading context of a privileged user’s hive, an attacker could potentially uncover additional escalation paths based on the local system configuration and the accessible registry data.
Lack of Official Response and Mitigation Recommendations
As of now, there is no disclosed CVE number, official Microsoft advisory, or a direct patch addressing the LegacyHive vulnerability. Its confirmed functionality on systems with July 2026 security updates suggests that organizations should not rely on standard monthly updates to resolve this particular issue.
What You Should Do
- Restrict Local Access: Limit local interactive access to Windows systems to only trusted users with legitimate operational needs.
- Monitor for Unusual Activity: Implement robust monitoring for anomalous user profile loading activities and unexpected accesses to critical user profile registry files, such as NTUSER.DAT and UsrClass.dat, through endpoint detection and response (EDR) solutions.
- Track Vendor Response: Stay informed on Microsoft’s official response to this disclosure and any forthcoming advisories or patches.
- Isolate Testing: Any validation of the LegacyHive PoC should be conducted strictly within isolated, authorized test environments to prevent unintended system compromise.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.