"The PoC requires another standard user credential and a third username (which can be an administrator account)," Chaotic Eclipse said.
Chaotic Eclipse's LegacyHive PoC
Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) released a proof-of-concept exploit named LegacyHive that targets the Windows User Profile Service (ProfSvc). The researcher described LegacyHive as a "Windows User Profile Service arbitrary hive load elevation of privileges vulnerability" and said the PoC was intentionally stripped down to limit public exploitation.
Chaotic Eclipse added that the original, fuller exploit "did not require additional user credentials and was not limited to the 'usrclass.dat' hive." The researcher also said, "Any hive could be loaded using this vulnerability, but you would need some brain cells to make the PoC do it."
How the LegacyHive exploit works
According to the researcher, a successful run of LegacyHive ends up "mounting the target user hive in the current user classes root." The PoC as released requires credentials for another standard user and a third username that can be an administrator account. The target component, the Windows User Profile Service (ProfSvc), is identified in the report as a core system component that manages user accounts and environments.
Why the July 2026 Patch Tuesday did not stop it
What makes LegacyHive notable is that, per the researcher's account, it is functional on "all supported desktop and server versions of Windows, including those running the latest July 2026 Patch Tuesday update." Chaotic Eclipse's disclosure arrived amid an ongoing dispute with Microsoft that the researcher said dates back to at least April 2026 and has involved the public release of exploit details before Microsoft could issue fixes.
The researcher and Microsoft have clashed before: three vulnerabilities in Microsoft Defender disclosed by Chaotic Eclipse were reportedly under active exploitation shortly after public disclosure, and an earlier disclosure this month — the Defender vulnerability known as RoguePlanet — led Microsoft to ship "defense-in-depth updates" that in turn were reported to cause Microsoft Defender to leak eight bytes of data when attempting to open a file in certain scenarios. Microsoft told The Hacker News it is investigating the new report; The Hacker News has contacted Microsoft for comment regarding LegacyHive and said it will update the story if it hears back.
SharePoint Server, ADFS, and CISA's Known Exploited Vulnerabilities actions
The LegacyHive disclosure coincides with Microsoft's July 2026 Patch Tuesday, which addressed a record 622 flaws, including two privilege-escalation vulnerabilities flagged as actively exploited: CVE-2026-56164 in SharePoint Server (CVSS 5.3) and CVE-2026-56155 in Active Directory Federation Services (CVSS 7.8). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both to its Known Exploited Vulnerabilities (KEV) catalog and mandated fixes for Federal Civilian Executive Branch agencies by July 17 and July 28, 2026, respectively.
CISA also warned of active exploitation of multiple SharePoint Server flaws — CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 — that can enable remote code execution and follow-on post-exploitation activity such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques to gain persistence and deploy malware. Alex Vovk, CEO and co-founder of Action1, said of CVE-2026-56164: "The flaw stems from missing authentication for a critical function, enabling an attacker to reach functionality that should require authorization."
Rapid7 called out another critical SharePoint Server authentication bypass fixed in July, CVE-2026-55040 (CVSS 9.1), explaining that "the vulnerability is due to several issues in the JWT token validation pipeline" and warning that it can be chained to other vulnerabilities within an authenticated attack surface.
What this means for security teams, Federal agencies, and defenders
- Security teams and enterprise administrators: Review and apply July 2026 Patch Tuesday updates promptly and prioritize remediation of the SharePoint and ADFS CVEs that CISA added to the KEV catalog. LegacyHive's reported ability to mount arbitrary hives highlights the continued need to scrutinize privilege-escalation paths involving user-profile services.
- Federal Civilian Executive Branch (FCEB) agencies: CISA's KEV deadlines for CVE-2026-56164 and CVE-2026-56155 require fixes by July 17 and July 28, 2026; agencies subject to those directives must certify or implement mitigations to meet the mandated schedule.
- Incident responders and defenders: Expect continued rapid public disclosures and contested disclosure timelines; Chaotic Eclipse's prior disclosures tied to active exploitation of Microsoft Defender vulnerabilities and the newly disclosed LegacyHive PoC suggest defenders should monitor both patches and researcher repositories or reports for functional PoCs that could be weaponized.
The record number of patched flaws in July 2026 and the fresh, working LegacyHive PoC underscore a broader friction: public proof-of-concept releases are surfacing even as vendors push urgent fixes, and those dynamics are shaping both patching priorities and exploit windows. Microsoft is reported to be investigating the new LegacyHive disclosure; The Hacker News and the researcher have already exchanged technical claims that security teams and regulators will be asked to weigh quickly in the days ahead.




