Microsoft shipped a record Patch Tuesday this month. Hours later, a researcher published a Windows privilege-escalation zero-day that those updates do not close, and that still works on a machine carrying every one of them. There is no CVE for it yet and nothing to install. That combination, a public bug with no patch, is the case defenders handle worst, because the reflex move of applying an update is off the table.
The exploit is called LegacyHive, and it targets the Windows User Profile Service, the component known internally as ProfSvc that loads a user's registry settings at sign-in. According to The Hacker News, the researcher, who publishes under the handles Chaotic Eclipse and Nightmare Eclipse, released it within hours of the July 2026 Patch Tuesday and did not run it through coordinated disclosure with Microsoft first. Microsoft told reporters it is investigating the validity and applicability of the claims and pointed to its support for coordinated vulnerability disclosure.
A privilege bug that outlives a patched box
Read the risk correctly before you rank it. LegacyHive is not remote code execution and it is not a way onto a machine from the outside. It is a local elevation-of-privilege bug: it does its work only after an attacker already runs code on the host as an ordinary user. The reported primitive leans on the profile service to graft a different account's registry hive into the attacker's own classes root, the per-user branch Windows reads to resolve things like file associations. Security researcher Will Dormann, quoted by The Hacker News, called that a powerful primitive, because manipulating another account's file associations can hand you code execution as that account with no interaction from its owner.
So the practical shape is this. A standard user who is already running on the box, whether through a phished employee, a malicious application, or a service account that got popped, can climb from their own privileges toward another account's, up to and including an administrator. Patching the perimeter does nothing for it. The exposure lives entirely in the space after a foothold, which is exactly the space that endpoint detection and least privilege are supposed to own.
The public exploit is the weakened version
There is a trap in how this one gets scored. The proof-of-concept the researcher published is deliberately stripped down. Per Security Affairs, the public version needs a second standard-user credential and is limited to one specific hive file, and the researcher stated plainly that the original had neither constraint: it required no extra credential and could load any hive. The public release was weakened on purpose to slow immediate abuse.
That means the version circulating is the floor, not the ceiling. A defender who models the threat on the public proof-of-concept, and concludes it is hard to use because it wants a second login, is scoring the wrong artifact.
| Constraint | Public proof-of-concept | Researcher's original, per their statement |
|---|---|---|
| Extra credential required | Yes, a second standard-user login | None |
| Hives it can load | One specific hive file only | Any hive |
Assume a stronger, unconstrained build exists or will, and rank LegacyHive as a reliable local escalation, not a fiddly one.
One researcher, a standing window after Patch Tuesday
This is not a first appearance. The same person has a run of Windows zero-days behind them. We wrote up one of them in June, a Microsoft Defender privilege-escalation flaw called RoguePlanet, and noted then that reporting could not even agree on the handle. Security Affairs now lists a longer string tied to the same researcher: a BitLocker bypass called GreatXML, RoguePlanet, and a run of others it names RedSun, MiniPlasma, BlueHammer, GreenPlasma, UnDefend, and YellowKey. Treat the exact count and naming as unsettled; the cadence is not.
The pattern worth planning around is the timing. These drops keep landing right after Patch Tuesday, when defenders have just spent their patch window and are inclined to exhale. For a blue team, the days after the monthly update are not a lull. They are a recurring window in which a no-fix local escalation can appear with a public exploit and no vendor answer for weeks. Build that expectation into the schedule instead of being surprised by it each month. LegacyHive is a Windows case, but the same local-escalation shape shows up across platforms, including recent no-patch Linux root exploits that you catch by their artifacts rather than a fix.
With no fix, detection carries the weight
When there is nothing to patch, the control is knowing if it happens. LegacyHive turns on loading a registry hive that the profile service would not load in normal operation, so the abuse leaves a behavioral trace even without a signature for the bug itself. Watch for a registry hive being mounted into a user's classes root that you cannot tie to a legitimate interactive sign-in, and for file-association keys in another user's hive changing outside of software installs. Registry-load operations are the event class to hunt here, not a specific file hash.
Two things reduce the blast radius while Microsoft investigates. First, cut the number of standard-user footholds that matter: this bug needs local code execution to start, so anything that keeps low-privilege accounts and service identities from running arbitrary code shrinks the set of machines where it pays off. Second, get the hive-load telemetry in front of someone who will act on it. This is the kind of quiet, post-foothold behavior that a managed threat-hunting practice is built to surface, and it belongs in the same exposure review as the CVEs you can patch, because a no-fix zero-day still has to sit on your risk register. The fix will come. The window before it is the part you have to cover yourself.