New LegacyHive Windows zero-day enables privilege escalation
🔒 A researcher known as Nightmare Eclipse published a proof-of-concept named LegacyHive after Microsoft's July 2026 Patch Tuesday, claiming it exploits a vulnerability in the Windows User Profile Service. The PoC has been intentionally modified to require additional credentials, making exploitation harder than earlier releases. Analysts note successful exploitation allows non-admin users to modify the classes registry hive and achieve code execution on admin login. Detection queries for Microsoft Defender for Endpoint were published shortly after.
