Find notable cyber news and cases, enriched with sources, timelines, and signals.

Windows User Profile Service arbitrary hive load elevation of privileges privilege-escalation flaw

Vulnerability
First reported
Last updated
Happening score
H score 11
1 unique sources, 1 articles

Summary

Hide ▲

A new LegacyHive proof-of-concept exposes a Windows User Profile Service (ProfSvc) arbitrary hive-load elevation-of-privileges flaw on supported Windows desktop and server versions, including systems with the July 2026 Patch Tuesday update. The stripped-down exploit shows that the weakness can still be exercised publicly, raising the risk of local privilege escalation and hive manipulation on affected hosts. The researcher said the original exploit was broader, did not require additional credentials, and was not limited to usrclass.dat. That makes the flaw a live security issue for in-support Windows builds rather than a theoretical bug.

Related Happenings

Linux kernel RDS PinTheft local privilege escalation flaw (public PoC)

Vulnerability
H score15 First: 20.05.2026 13:52 Last: 20.05.2026 13:52 Sources 1

About this happening: **PinTheft** now has a **public PoC exploit**, turning a recently patched **Linux kernel RDS** flaw into a practical **local privilege escalation** risk for **Arch Linux** systems...

CISA orders FCEB remediation for CVE-2025-60710

Public Sector Action
H score34 First: 15.04.2026 17:51 Last: 15.04.2026 17:51 Sources 1

About this happening: CISA added **CVE-2025-60710** to its **actively exploited** catalog and gave **FCEB agencies** **two weeks** to secure systems under **BOD 22-01**. The move targets a **Windows Ta...

CISA updates KEV entry for CVE-2026-1731

Public Sector Action
H score36 First: 20.02.2026 17:45 Last: 20.02.2026 17:45 Sources 1

About this happening: **CISA** updated its **KEV catalog** entry for **CVE-2026-1731**, confirming the flaw has been used in **ransomware campaigns** and elevating its government-tracked risk. The upda...

CISA adds four actively exploited flaws to KEV with FCEB deadlines

Public Sector Action
H score35 First: 13.02.2026 10:34 Last: 13.02.2026 10:34 Sources 1

About this happening: CISA added **four vulnerabilities** to the **Known Exploited Vulnerabilities (KEV) catalog** after evidence of **active exploitation**, putting **FCEB agencies** on a forced remed...

BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave

Exploitation Wave
H score76 First: 12.02.2026 23:34 Last: 12.02.2026 23:34 Sources 1

About this happening: **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...

Timeline

  1. 15.07.2026 14:07 2 articles · 2h ago

    Chaotic Eclipse releases LegacyHive Windows User Profile Service PoC

    Initial Disclosure

    Chaotic Eclipse (aka Nightmare-Eclipse) releases LegacyHive, a stripped-down proof-of-concept for a Windows User Profile Service (ProfSvc) arbitrary hive-load elevation of privileges flaw on supported Windows desktop and server versions, including systems with the latest July 2026 Patch Tuesday update. The researcher says the original exploit did not require additional user credentials and was not limited to usrclass.dat, while the public PoC requires another standard user credential and a third username.

    Show sources