"The PoC requires another standard user credentials and a third username (which can be an administrator account), if the PoC is successful, it will end up mounting the target user hive in current user classes root," said the researcher using the "Nightmare Eclipse" handle after releasing a proof-of-concept for a new Windows zero-day called LegacyHive.
Nightmare Eclipse's LegacyHive PoC
The researcher published LegacyHive hours after Microsoft's July 2026 Patch Tuesday updates, releasing a proof-of-concept (PoC) that targets the Windows User Profile Service. According to the researcher, the PoC has been deliberately modified from an earlier version: it now requires additional credentials and is limited to the usrclass.dat hive. The researcher said the stripped-down PoC was "an attempt to prevent public exploitation" and that the original PoC "did not require additional user credential and was not limited to usrclass.dat hive, any hive could be loaded using this vulnerability."
The vulnerability targeted by LegacyHive has not yet received a CVE identifier for tracking, and the PoC author described both the constrained public release and the capabilities of the original exploit in explicit terms.
How LegacyHive abuses the Windows User Profile Service
Security analysis shared in reporting makes clear what successful exploitation enables: it can allow non-administrative users to mount and modify the classes registry hive. Will Dormann, principal vulnerability analyst at Tharros, tested the exploit and explained the consequence plainly — modification of the classes hive can produce automatic code execution when an administrator account subsequently logs into a compromised system.
Dormann illustrated the effect with a simple example: "For example, as a novelty, we can associate .txt files to open with calc.exe," he noted, and added that "clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don't even require user interaction." In short, LegacyHive is a privilege-escalation technique that leverages the profile and registry handling performed by the User Profile Service to turn a local non-admin foothold into code execution at higher privilege.
Detection, mitigation and vendor responses
One day after the PoC appeared, cybersecurity expert Kevin Beaumont published detection queries tailored to Microsoft Defender for Endpoint (MDE), providing enterprise teams with immediate hunting tools specific to LegacyHive. The PoC author had said the public release was intentionally limited to make exploitation harder; defenders now have at least one public detection resource to incorporate.
Microsoft's recent Patch Tuesday activity is relevant context: the company fixed the GreenPlasma, MiniPlasma, and YellowKey flaws as part of the June 2026 updates, and addressed the RoguePlanet vulnerability in its July security updates. LegacyHive, by contrast, was disclosed publicly by a researcher after those July fixes and has not yet been tracked with a CVE.
Microsoft also issued warnings about legal action against people engaging in "malicious activity causing real harm to our customers," a response that cybersecurity experts interpreted as a direct admonition to the researcher. A Microsoft spokesperson was not immediately available when contacted by BleepingComputer.
Nightmare Eclipse's recent disclosure trajectory
Nightmare Eclipse has disclosed multiple zero-day exploits in recent months. Reporting ties the handle to disclosures that include the RoguePlanet vulnerability and flaws affecting Microsoft Defender, BitLocker, and various Windows components. That sequence of public disclosures, combined with Microsoft's legal warning language, has shaped how researchers, defenders, and vendors respond to subsequent PoC releases such as LegacyHive.
What this means for technologists, enterprises, and end users
- Technologists and security teams: Analysts and incident responders should incorporate Kevin Beaumont's MDE detection queries and hunt for activity that mounts or tampers with user classes hives. Because the PoC author limited the public release, teams must still treat the underlying vulnerability as capable of broader impact until a full patch or CVE is published.
- Enterprises and procurement leaders: Organizations running up-to-date Windows systems should track Microsoft advisories closely — Microsoft fixed related high-profile flaws in June and July 2026 — and prioritize deployment of relevant platform detection rules for Defender for Endpoint where applicable.
- End users and administrators: The exploit chain described requires another standard user credential plus a third username that can be an administrative account; administrators logging into potentially compromised machines face the specific risk of automatic code execution triggered by malicious changes to the classes hive.
LegacyHive demonstrates a recurring dynamic: researchers publishing high-impact PoCs close to Microsoft patch cycles, vendors issuing fixes for other vulnerabilities, and defenders racing to translate PoCs into detection and mitigation. The researcher’s decision to strip down LegacyHive reduced its immediate weaponization but left the underlying User Profile Service vulnerability exposed and untracked by a CVE — a gap defenders and enterprises must watch closely as they adopt published detections and await any vendor patch or advisory.




