Home/ Blog/ Security news/ Article
Blog · Security news

Fully patched Windows, no fix: a new local privilege zero-day

LegacyHive is a Windows User Profile Service privilege-escalation zero-day that works on fully patched systems, with no CVE and no fix yet. What defenders do

One raised stone block lifting out of an intact archway with light in the gap

Microsoft shipped a record Patch Tuesday this month. Hours later, a researcher published a Windows privilege-escalation zero-day that those updates do not close, and that still works on a machine carrying every one of them. There is no CVE for it yet and nothing to install. That combination, a public bug with no patch, is the case defenders handle worst, because the reflex move of applying an update is off the table.

The exploit is called LegacyHive, and it targets the Windows User Profile Service, the component known internally as ProfSvc that loads a user's registry settings at sign-in. According to The Hacker News, the researcher, who publishes under the handles Chaotic Eclipse and Nightmare Eclipse, released it within hours of the July 2026 Patch Tuesday and did not run it through coordinated disclosure with Microsoft first. Microsoft told reporters it is investigating the validity and applicability of the claims and pointed to its support for coordinated vulnerability disclosure.

A privilege bug that outlives a patched box

Read the risk correctly before you rank it. LegacyHive is not remote code execution and it is not a way onto a machine from the outside. It is a local elevation-of-privilege bug: it does its work only after an attacker already runs code on the host as an ordinary user. The reported primitive leans on the profile service to graft a different account's registry hive into the attacker's own classes root, the per-user branch Windows reads to resolve things like file associations. Security researcher Will Dormann, quoted by The Hacker News, called that a powerful primitive, because manipulating another account's file associations can hand you code execution as that account with no interaction from its owner.

So the practical shape is this. A standard user who is already running on the box, whether through a phished employee, a malicious application, or a service account that got popped, can climb from their own privileges toward another account's, up to and including an administrator. Patching the perimeter does nothing for it. The exposure lives entirely in the space after a foothold, which is exactly the space that endpoint detection and least privilege are supposed to own.

The public exploit is the weakened version

There is a trap in how this one gets scored. The proof-of-concept the researcher published is deliberately stripped down. Per Security Affairs, the public version needs a second standard-user credential and is limited to one specific hive file, and the researcher stated plainly that the original had neither constraint: it required no extra credential and could load any hive. The public release was weakened on purpose to slow immediate abuse.

That means the version circulating is the floor, not the ceiling. A defender who models the threat on the public proof-of-concept, and concludes it is hard to use because it wants a second login, is scoring the wrong artifact.

ConstraintPublic proof-of-conceptResearcher's original, per their statement
Extra credential requiredYes, a second standard-user loginNone
Hives it can loadOne specific hive file onlyAny hive
Source: the researcher's own notes as reported by Security Affairs.

Assume a stronger, unconstrained build exists or will, and rank LegacyHive as a reliable local escalation, not a fiddly one.

One researcher, a standing window after Patch Tuesday

This is not a first appearance. The same person has a run of Windows zero-days behind them. We wrote up one of them in June, a Microsoft Defender privilege-escalation flaw called RoguePlanet, and noted then that reporting could not even agree on the handle. Security Affairs now lists a longer string tied to the same researcher: a BitLocker bypass called GreatXML, RoguePlanet, and a run of others it names RedSun, MiniPlasma, BlueHammer, GreenPlasma, UnDefend, and YellowKey. Treat the exact count and naming as unsettled; the cadence is not.

The pattern worth planning around is the timing. These drops keep landing right after Patch Tuesday, when defenders have just spent their patch window and are inclined to exhale. For a blue team, the days after the monthly update are not a lull. They are a recurring window in which a no-fix local escalation can appear with a public exploit and no vendor answer for weeks. Build that expectation into the schedule instead of being surprised by it each month. LegacyHive is a Windows case, but the same local-escalation shape shows up across platforms, including recent no-patch Linux root exploits that you catch by their artifacts rather than a fix.

With no fix, detection carries the weight

When there is nothing to patch, the control is knowing if it happens. LegacyHive turns on loading a registry hive that the profile service would not load in normal operation, so the abuse leaves a behavioral trace even without a signature for the bug itself. Watch for a registry hive being mounted into a user's classes root that you cannot tie to a legitimate interactive sign-in, and for file-association keys in another user's hive changing outside of software installs. Registry-load operations are the event class to hunt here, not a specific file hash.

Two things reduce the blast radius while Microsoft investigates. First, cut the number of standard-user footholds that matter: this bug needs local code execution to start, so anything that keeps low-privilege accounts and service identities from running arbitrary code shrinks the set of machines where it pays off. Second, get the hive-load telemetry in front of someone who will act on it. This is the kind of quiet, post-foothold behavior that a managed threat-hunting practice is built to surface, and it belongs in the same exposure review as the CVEs you can patch, because a no-fix zero-day still has to sit on your risk register. The fix will come. The window before it is the part you have to cover yourself.

Topics

Frequently asked questions

What is the LegacyHive Windows vulnerability?

LegacyHive is a privilege-escalation zero-day in the Windows User Profile Service (ProfSvc), the component that loads a user's registry settings at sign-in.

A researcher published it hours after the July 2026 Patch Tuesday. It lets an attacker already running as a standard user load another account's registry hive and climb toward that account's privileges.

Does LegacyHive affect fully patched Windows systems?

Yes. Reporting says LegacyHive works on all supported desktop and server versions of Windows, including machines carrying the latest July 2026 Patch Tuesday updates.

The monthly patches do not close it, so an up-to-date system is not protected against this specific flaw.

Is there a patch for LegacyHive?

No. At the time of writing there is no CVE assigned and no fix available for LegacyHive.

Microsoft said it is investigating the validity and applicability of the claims. Until a fix ships, defenders have to rely on detection and on limiting local footholds.

How serious is LegacyHive, and does it need local access?

LegacyHive is a local privilege escalation, not remote code execution, so it needs an existing foothold: an attacker must already run code on the host as an ordinary user.

From there it can escalate to another account, up to an administrator, which makes it a strong link in a post-compromise chain.

How can defenders detect LegacyHive without a patch?

Watch for a registry hive being mounted into a user's classes root that you cannot tie to a legitimate interactive sign-in, and for file-association keys changing in another user's hive outside of software installs.

Registry hive-load operations are the behavior to hunt, since there is no fix to apply yet.

Why is the public LegacyHive proof-of-concept weaker than the real bug?

The researcher deliberately stripped the public proof-of-concept to slow immediate abuse.

According to Security Affairs, the public version needs a second standard-user credential and is limited to one hive file, but the researcher stated the original required no extra credential and could load any hive. Score the threat as the stronger version.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.