Ethical Hacking News
A new Windows vulnerability has been discovered by Chaotic Eclipse, which could have far-reaching consequences for enterprise security. Learn more about the LegacyHive vulnerability and its implications.
The LegacyHive vulnerability is a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability that has been released as a proof-of-concept (PoC) exploit by researcher Chaotic Eclipse. The exploit requires another standard user credential and a third username to succeed, and can be functional on all supported desktop and server versions of Windows, including the latest July 2026 Patch Tuesday update. The vulnerability has been tied to a dispute between Chaotic Eclipse and Microsoft, with three vulnerabilities being actively exploited shortly after public disclosure. A recently patched vulnerability known as RoguePlanet has caused Microsoft Defender to leak data when attempting to open certain files, highlighting the ongoing challenge of ensuring security patches do not introduce new vulnerabilities. SharePoint Server has also been targeted by multiple exploits, including CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, which enable remote code execution (RCE) and post-exploitation activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch agencies apply the fixes by July 17 and July 28, 2026, respectively.
The world of cybersecurity has recently witnessed a new and disturbing trend, as a researcher known by their handle "Chaotic Eclipse" (also referred to as "Nightmare-Eclipse") has released a proof-of-concept (PoC) exploit called LegacyHive. This vulnerability, described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability, has sent shockwaves through the industry, with experts warning that it could have far-reaching consequences for enterprise security.
The LegacyHive PoC exploit targets a core system component known as ProfSvc, which manages user accounts and environments. According to Chaotic Eclipse, the exploit requires another standard user credential and a third username (which can be an administrator account) to succeed. If successful, the exploit results in the target user hive being mounted in the current user's classes root.
What makes this vulnerability particularly concerning is that it can be functional on all supported desktop and server versions of Windows, including those running the latest July 2026 Patch Tuesday update. This means that organizations relying on these systems are at risk, regardless of whether they have installed the latest security patches or not.
The origins of this vulnerability are tied to a heated dispute between Chaotic Eclipse and Microsoft, with the researcher releasing details of multiple exploits before the company had a chance to patch them, citing a breakdown in communication. This has led to three of the vulnerabilities disclosed by Chaotic Eclipse being actively exploited shortly after public disclosure.
Furthermore, an earlier vulnerability known as RoguePlanet was recently patched by Microsoft, but the newly introduced "defense-in-depth updates" to address the flaw have been found to cause Microsoft Defender to leak 8 bytes of data when attempting to open a file in certain scenarios. This highlights the ongoing challenge of ensuring that security patches do not introduce new vulnerabilities.
In addition to the LegacyHive vulnerability, SharePoint Server has also recently been targeted by multiple exploits, including CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. These vulnerabilities enable cyber threat actors to gain unauthorized access to susceptible instances of SharePoint Server, establishing remote code execution (RCE) and post-exploitation activities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, which mandates that Federal Civilian Executive Branch agencies apply the fixes by July 17 and July 28, 2026, respectively.
In a statement, Adam Barnett, lead software engineer at Rapid7, noted that "After years of relative stability, the Patch Tuesday process has experienced significant turbulence so far in 2026. As well as the AI-fueled exponential growth of vulnerability reporting and discovery, Microsoft is grappling with the emergence of a series of vulnerabilities disclosed in such a way as to bring maximum discomfort for Redmond."
The U.S. government agency also highlighted that "active exploitation" of these SharePoint Server vulnerabilities could enable cyber threat actors to perform operations against susceptible instances without requiring prior authentication or user interaction.
In a separate advisory, CISA warned that "Internet-facing SharePoint servers are particularly exposed because the attack can be performed remotely without valid credentials." This warning serves as a stark reminder of the importance of maintaining up-to-date security patches and implementing robust cybersecurity measures.
The discovery of these new vulnerabilities has sparked renewed concerns about the effectiveness of Patch Tuesday, which is intended to deliver critical security updates to systems running Windows. While Microsoft has released numerous security updates in recent months, experts have noted that these updates can sometimes introduce unintended consequences.
In addition to LegacyHive and SharePoint Server, other notable vulnerabilities were recently disclosed by Chaotic Eclipse and CISA, including CVE-2026-55040, which is a critical vulnerability that enables remote unauthenticated attackers to bypass authentication on vulnerable SharePoint servers. This vulnerability has the potential to be chained to additional vulnerabilities within the authenticated attack surface of susceptible sites.
This latest wave of security vulnerabilities underscores the ongoing struggle between cybersecurity researchers and organizations to stay ahead of emerging threats. As experts continue to identify new vulnerabilities, it is essential for organizations to prioritize proactive measures, including regular software updates, secure password management, and robust network monitoring.
The implications of LegacyHive are far-reaching, with potential consequences that could be felt across industries and sectors. As Chaotic Eclipse noted, "Any hive could be loaded using this vulnerability, but you would need some brain cells to make the PoC do it." This highlights the importance of staying vigilant and proactive in response to emerging threats.
In conclusion, LegacyHive serves as a stark reminder of the ongoing challenges faced by organizations seeking to maintain robust cybersecurity measures. As experts continue to uncover new vulnerabilities, it is crucial that organizations prioritize proactive measures to stay ahead of emerging threats. By investing in regular software updates, secure password management, and robust network monitoring, organizations can significantly reduce their risk exposure.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Window-to-Exploitation-The-LegacyHive-Vulnerability-and-Its-Implications-for-Enterprise-Security-ehn.shtml
https://thehackernews.com/2026/07/researcher-drops-new-windows-zero-day.html
Published: Wed Jul 15 09:56:35 2026 by llama3.2 3B Q4_K_M