HiveLegacy Released: Windows Privilege Escalation Zero-Day Unveiled on Record Patch Day
On the same day Microsoft released a record-breaking number of patches, an anonymous researcher unveiled exploit code for a zero-day vulnerability, HiveLegacy, allowing low-privilege users to manipulate admin account registries.
Based on an article by Dan Goodin published on Ars Technica.
On the same day Microsoft released a record number of security patches, exploit code for a new Windows zero-day vulnerability was made public. Multiple security researchers have verified its functionality. The vulnerability, known as “HiveLegacy,” is a privilege escalation flaw that enables low-privilege Windows accounts to make confidential modifications to admin account settings.
The exploit was disclosed by an anonymous researcher known as “NightmareEclypse,” who has previously released nine other exploit codes and has expressed dissatisfaction with Microsoft’s handling of vulnerability reports. The proof-of-concept code released is reportedly limited in functionality to prevent misuse.
HiveLegacy is an elevation-of-privilege exploit that targets a vulnerability residing in the Windows User Profile Service. It allows users (and with more work likely processes) with limited system rights to compromise an admin user’s account by modifying its classes registry hive, a resource that ensures the correct application opens when certain types of files are clicked on in Windows Explorer.
The targeted vulnerability exists in the Windows User Profile Service, which manages the classes registry hive. This hive is responsible for launching the correct application when specific file types are clicked in Windows Explorer. Attackers could exploit this to modify registry settings tied to administrative accounts.
“The ability of a non-admin user to be able to modify the classes registry hive of an admin user is a pretty powerful primitive. Clever attackers or people who want to accomplish something will easily be able to figure out how to do things that are more interesting and/or don’t even require user interaction.” — Will Dormann, Tharros Labs
Will Dormann, Senior Vulnerability Analyst at Tharros Labs, described this vulnerability as “a pretty powerful primitive.” He noted that skilled attackers could easily develop methods for more sophisticated operations or even for attacks that require no user interaction.
Currently, the exploit code requires attackers to know the credentials of another user, though the targeted account does not need to have admin privileges. Additionally, attackers need the username of a third account on the same machine, regardless of whether it has administrative rights. Dormann also mentioned the possibility of leveraging this vulnerability alongside others to gain more direct access to administrative privileges.
“When a new user is logging on, Windows needs to load the user’s class hive. Since the user isn’t logged on before logging on, it can’t be loaded in the context of the user. So it is loaded in the context of NT AUTHORITY\SYSTEM. LegacyHive abuses this.”
Another analyst explained how the exploit takes advantage of the mechanism by which Windows loads class hives during new user logins. Since the hive cannot be loaded in the user’s context before login, it gets loaded in the SYSTEM context, which is then exploited by LegacyHive.
Microsoft acknowledged the report of the vulnerability via email and stated that it is under investigation. The company recommends that vulnerability reporters adhere to its coordinated disclosure policy. In the meantime, independent security researcher Kevi has released a detection script, which can be run as a temporary measure.
The disclosure of HiveLegacy highlights ongoing challenges in Microsoft’s relationship with vulnerability reporters. Similar cases, such as the publication of the Microsoft Defender privilege escalation vulnerability “RoguePlanet” and the contribution of Windows GDID to identifying suspects in the “Scattered Spider” case, continue to raise fundamental questions about the security design of Windows.
Editorial Opinion
In the short term, the release of NightmareEclypse’s ninth zero-day exploit exerts serious pressure on Microsoft’s patch management system. The manipulation of the User Profile Service’s class registry hive has been described as a “powerful primitive,” necessitating urgent action from Microsoft to deploy emergency patches before attackers refine the exploit further. Administrators should immediately evaluate the impact using Kevi’s detection script.
From a long-term perspective, the need to redesign Windows’ privilege model becomes evident. The architecture that loads user hives in the SYSTEM context has left a pathway for low-privilege processes to manipulate admin registries. Without addressing this fundamental design flaw, similar vulnerabilities are likely to surface repeatedly.
As editors, we believe that Microsoft must address the institutional issues within its vulnerability reporting process. Merely recommending coordinated disclosure policies will not alleviate researchers’ frustrations. Expanding reward programs and strengthening dialogue with reporters could ultimately lead to better user protection.
References
- “Windows 0-day drops the same day Microsoft releases record number of patches”, by Dan Goodin — Ars Technica, 2026-07-15T19:59:48.000Z (CC BY-NC-ND)
- Source URL: https://arstechnica.com/security/2026/07/windows-0-day-drops-the-same-day-microsoft-releases-record-number-of-patches/
Frequently Asked Questions
- Which versions of Windows are affected by HiveLegacy?
- Microsoft is currently investigating the extent of the impact. All versions equipped with the Windows User Profile Service are likely vulnerable. Though the released proof-of-concept code is limited in functionality, there is a risk of attackers improving it. Until an official patch is released, it is recommended to use detection scripts for verification.
- Can HiveLegacy be exploited remotely?
- As of now, the proof-of-concept code requires attackers to know another user's credentials and is classified as a local privilege escalation vulnerability. However, as Will Dormann has pointed out, combining this vulnerability with others could potentially enable remote exploitation. Its operation within the SYSTEM context suggests that the scope of impact could be wide. ## References - [Windows 0-day drops the same day Microsoft releases record number of patches — Ars Technica](https://arstechnica.com/security/2026/07/windows-0-day-drops-the-same-day-microsoft-releases-record-number-of-patches/) — Published on 2026-07-15 - [Microsoft Defender Privilege Escalation Vulnerability “RoguePlanet” Published](https://singulism.com/ja/microsoft-defender-rogueplanet-zero-day) - [Windows GDID’s Contribution to Identifying Scattered Spider Suspects](https://singulism.com/ja/windows-gdid-scattered-spider-investigation)
Comments