Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AWS Cost Explorer Bug Exposes Trillion-Dollar Billing Estimates
July 17, 2026
Critical Windows LegacyHive 0-Day Lets Attackers Gain Admin Access
July 17, 2026
ClickLock macOS Stealer Kills Apps, Forces Password Entry
July 17, 2026
Home/Vulnerabilities/Critical Windows LegacyHive 0-Day Lets Attackers Gain Admin Access
Vulnerabilities

Critical Windows LegacyHive 0-Day Lets Attackers Gain Admin Access

Key Takeaways A new Windows zero-day vulnerability, dubbed LegacyHive (MSNightmare), allows local privilege escalation. The flaw abuses the User Profile Service (ProfSvc) to enable low-privileged...

Emy Elsamnoudy
Emy Elsamnoudy
July 17, 2026 4 Min Read
2 0

Key Takeaways

  • A new Windows zero-day vulnerability, dubbed LegacyHive (MSNightmare), allows local privilege escalation.
  • The flaw abuses the User Profile Service (ProfSvc) to enable low-privileged users to access and modify administrator registry hives.
  • This grants attackers the ability to tamper with admin accounts, hijack application launches, and achieve persistent, admin-level code execution.
  • The vulnerability affects all currently supported and fully patched Windows desktop and server editions, with no official fix or CVE assigned by Microsoft yet.

Unpatched Windows Zero-Day LegacyHive Grants Admin Access via User Profile Service

A critical, unpatched zero-day vulnerability in Windows, identified as LegacyHive (MSNightmare), is actively being exploited to achieve local privilege escalation. This flaw leverages the Windows User Profile Service (ProfSvc) to allow attackers to gain administrative access, manipulate administrator accounts, and execute code with elevated privileges.

Table Of Content

  • Key Takeaways
  • Unpatched Windows Zero-Day LegacyHive Grants Admin Access via User Profile Service
  • How LegacyHive Exploits the User Profile Service
  • Demonstrated Impact and Privilege Escalation
  • Technical Details and Microsoft’s Response
  • What You Should Do

How LegacyHive Exploits the User Profile Service

LegacyHive specifically targets the Windows User Profile Service, a core component responsible for managing user profiles and their associated registry hives during system logon and logoff. The vulnerability enables a low-privileged user to mount another user’s registry hive—specifically the UsrClass.dat hive—into their own HKEY_CLASSES_ROOT. This effectively exposes the target user’s application data and configuration, making it appear as if it belongs to the attacker’s session.

The public proof-of-concept (PoC) for this vulnerability, detailed on the MSNightmare GitHub account describes the issue as a “Windows user profile service arbitrary hive load elevation of privileges vulnerability.”

Demonstrated Impact and Privilege Escalation

Security researcher Will Dormann illustrated the practical implications of LegacyHive. By executing LegacyHive.exe with the credentials of a second standard user, targeting a specified administrator account, and then launching regedit.exe as that second user, Dormann showed that the non-admin user could directly access the administrator’s Classes registry hive.

While read-only access to UsrClass.dat alone doesn’t immediately expose sensitive data like password hashes, it provides a powerful primitive for attack. A non-admin can modify an administrator’s classes registry hive, fundamentally altering how that administrator’s account launches applications or handles COM objects.

Dormann further demonstrated this by changing the .txt file association within an administrator’s hive to launch calc.exe instead of a standard text editor. This highlights how arbitrary code can be injected into an administrator’s workflow. More dangerously, an attacker could overwrite COM objects or shell extensions configured to load automatically upon administrator login. This turns the compromised hive into a persistent mechanism for code execution that runs with admin privileges during a normal sign-in, making such activity appear legitimate to endpoint detection and response (EDR) tools.

Technical Details and Microsoft’s Response

The public PoC released by NightmareEclipse is a stripped-down version, requiring credentials for an additional standard user and limiting its scope to the UsrClass.dat hive. The researcher claims the full exploit does not require additional user credentials and can coerce ProfSvc to load any hive, potentially achieving kernel-level impersonation as NT AUTHORITYSYSTEM, significantly broadening the vulnerability’s impact.

Despite Microsoft’s July 2026 Patch Tuesday addressing numerous CVEs, LegacyHive reportedly remains effective on all currently supported and fully patched Windows desktop and server editions. At the time of disclosure, no CVE has been assigned, and no dedicated security bulletin has been released.

Microsoft has acknowledged the issue, stating it is “aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims.” However, an official fix is not yet available.

Early reverse-engineering, utilizing tools like Process Monitor, indicates that LegacyHive exploits how ProfSvc resolves and opens the target user’s UsrClass.dat through the Windows Object Manager and registry hive loading routines. Dormann observed that initial attempts to open the target admin’s hive with low-privileged credentials result in an ACCESS DENIED error. However, a subsequent retry under an impersonated NT AUTHORITYSYSTEM context succeeds, leaving the hive mounted and accessible to the attacker-controlled user.

This behavior aligns with historical Windows vulnerabilities where kernel-mediated impersonation and race conditions on file or registry operations can be abused to achieve SYSTEM-level effects. LegacyHive appears to repurpose this pattern against ProfSvc, creating an unpatched local privilege escalation vector through arbitrary hive loading.

Since LegacyHive is a local, post-compromise vulnerability, attackers must already have initial access to a Windows system and at least one non-admin account to exploit it. Once exploited, however, it provides a direct path to compromise higher-privileged users and escalate privileges.

What You Should Do

  • Restrict Local Login: Limit local login capabilities for privileged accounts as much as possible.
  • Segment Admin Workstations: Isolate administrative workstations from standard user environments to contain potential breaches.
  • Enhance Monitoring: Implement heightened monitoring for unusual registry hive modifications and changes to COM/object registration within administrator profiles.
  • Assume Compromise: Treat any system where NightmareEclipse tools, including LegacyHive or prior RoguePlanet/Defender exploits, are detected as potentially compromised.
  • Stay Updated: Monitor official Microsoft channels for a forthcoming patch and apply it immediately upon release.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerabilityzero-day

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

ClickLock macOS Stealer Kills Apps, Forces Password Entry

Next Post

AWS Cost Explorer Bug Exposes Trillion-Dollar Billing Estimates

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical TP-Link Tapo Camera Vulnerability Lets Attackers Hijack Devices
July 17, 2026
CISA Warns of Critical Fortinet FortiSandbox OS Injection Flaws Exploited in Attacks
July 17, 2026
Linus Torvalds Clarifies Linux Kernel’s Stance on AI Development
July 17, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us