Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Microsoft’s Serial Tormentor Unleashes Another 0-Day: LegacyHive Brings Local Privilege Escalation Vulnerability



Microsoft’s serial tormentor has unleashed another 0-day vulnerability, known as LegacyHive. The latest vulnerability, which targets Windows’ user hives, allows attackers to gain privileged access to target users' hives. Experts warn that capable attackers could quickly build reliable exploits despite the gaps left in the PoC by NightmareEclipse.

  • The LegacyHive vulnerability is a local privilege escalation (LPE) vulnerability that allows attackers to gain privileged access to target users' hives.
  • The vulnerability exploits a weakness in profsvc, the Windows User Profile Service, and the way it loads hives.
  • The latest zero-day was released by NightmareEclipse, a prolific vulnerability hunter, coinciding with Microsoft's monthly Patch Tuesday updates.
  • Capabilities of capable attackers to build reliable exploits could be significant despite gaps in the proof-of-concept (PoC) code.
  • Experts warn that while LegacyHive is useful for attackers who have already gained a foothold, it falls short of providing a fuller system compromise.
  • The vulnerability highlights the cat-and-mouse game between security researchers and vendors as they navigate vulnerability disclosure and exploitation.



  • Microsoft’s serial tormentor, known for consistently releasing zero-day vulnerabilities, has dropped another bombshell in the form of LegacyHive. The latest vulnerability, which targets Windows’ user hives, is a local privilege escalation (LPE) vulnerability that allows attackers to gain privileged access to target users' hives.

    According to Matei Badanoiu, lead security researcher at Pentest-Tools.com, the vulnerability, dubbed "LegacyHive," exploits a weakness in profsvc, the Windows User Profile Service, and the way it loads hives. If exploited correctly, it could grant regular users privileged read-write access to target other users' hives.

    The latest zero-day was released by NightmareEclipse, a prolific vulnerability hunter who has been leaving a trail of 0-days in his wake. The timing of the release is particularly noteworthy, as it coincided with Microsoft's monthly Patch Tuesday updates, which contained an unprecedented 622 fixes.

    NightmareEclipse claims that their latest zero-day works against Windows machines that are fully patched according to July’s fixes. However, security experts warn that capable attackers could probably build a reliable exploit despite the gaps left in the PoC by NightmareEclipse.

    In fact, Dray Agha, senior manager of security operations at Huntress, notes that Nightmar Eclipse's prior LPE and defence evasion tools rapidly deployed threat actors and ransomware groups shortly after publication. This history suggests that capable actors will reverse-engineer the missing components of the LegacyHive PoC to build fully weaponized versions in short order.

    Experts say that while the LegacyHive vulnerability is a useful tool for attackers who have already gained a foothold in a target environment, it falls short of providing a fuller system compromise. However, security experts caution that the gap between public proof-of-concept (PoC) code and fully working exploit tools can be significant.

    Furthermore, NightmareEclipse's latest approach to releasing full working PoCs may be a reflection of Microsoft’s suggestion of preparing legal action against the bug hunter. This development highlights the cat-and-mouse game being played between security researchers and vendors as they navigate the complex landscape of vulnerability disclosure and exploitation.

    As a result, it is essential for organizations and individuals to remain vigilant and take prompt action in response to the latest zero-day vulnerabilities. Threat intelligence teams are advised to act with urgency, as capable attackers could quickly build reliable exploits despite the gaps left in the PoC by NightmareEclipse.

    In conclusion, Microsoft’s serial tormentor has unleashed another 0-day vulnerability, known as LegacyHive. While it is a useful tool for attackers who have already gained a foothold, it falls short of providing a fuller system compromise. As security experts continue to navigate this complex landscape, it is crucial for organizations and individuals to remain informed and take prompt action in response to emerging threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Microsofts-Serial-Tormentor-Unleashes-Another-0-Day-LegacyHive-Brings-Local-Privilege-Escalation-Vulnerability-ehn.shtml

  • https://www.theregister.com/security/2026/07/15/microsofts-serial-tormentor-drops-legacyhive-0-day/5271723


  • Published: Wed Jul 15 09:37:50 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us