Windows User Profile Service arbitrary hive load elevation of privileges privilege-escalation flaw
Vulnerability
Summary
Hide ▲
Show ▼
A new LegacyHive proof-of-concept exposes a Windows User Profile Service (ProfSvc) arbitrary hive-load elevation-of-privileges flaw on supported Windows desktop and server versions, including systems with the July 2026 Patch Tuesday update. The stripped-down exploit shows that the weakness can still be exercised publicly, raising the risk of local privilege escalation and hive manipulation on affected hosts. The researcher said the original exploit was broader, did not require additional credentials, and was not limited to usrclass.dat. That makes the flaw a live security issue for in-support Windows builds rather than a theoretical bug.
Related Happenings
Linux kernel RDS PinTheft local privilege escalation flaw (public PoC)
Vulnerability
H score15
First: 20.05.2026 13:52
Last: 20.05.2026 13:52
Sources 1
About this happening:
**PinTheft** now has a **public PoC exploit**, turning a recently patched **Linux kernel RDS** flaw into a practical **local privilege escalation** risk for **Arch Linux** systems...
Linux kernel RDS PinTheft local privilege escalation flaw (public PoC)
VulnerabilityAbout this happening: **PinTheft** now has a **public PoC exploit**, turning a recently patched **Linux kernel RDS** flaw into a practical **local privilege escalation** risk for **Arch Linux** systems...
CISA orders FCEB remediation for CVE-2025-60710
Public Sector Action
H score34
First: 15.04.2026 17:51
Last: 15.04.2026 17:51
Sources 1
About this happening:
CISA added **CVE-2025-60710** to its **actively exploited** catalog and gave **FCEB agencies** **two weeks** to secure systems under **BOD 22-01**. The move targets a **Windows Ta...
CISA orders FCEB remediation for CVE-2025-60710
Public Sector ActionAbout this happening: CISA added **CVE-2025-60710** to its **actively exploited** catalog and gave **FCEB agencies** **two weeks** to secure systems under **BOD 22-01**. The move targets a **Windows Ta...
CISA updates KEV entry for CVE-2026-1731
Public Sector Action
H score36
First: 20.02.2026 17:45
Last: 20.02.2026 17:45
Sources 1
About this happening:
**CISA** updated its **KEV catalog** entry for **CVE-2026-1731**, confirming the flaw has been used in **ransomware campaigns** and elevating its government-tracked risk. The upda...
CISA updates KEV entry for CVE-2026-1731
Public Sector ActionAbout this happening: **CISA** updated its **KEV catalog** entry for **CVE-2026-1731**, confirming the flaw has been used in **ransomware campaigns** and elevating its government-tracked risk. The upda...
CISA adds four actively exploited flaws to KEV with FCEB deadlines
Public Sector Action
H score35
First: 13.02.2026 10:34
Last: 13.02.2026 10:34
Sources 1
About this happening:
CISA added **four vulnerabilities** to the **Known Exploited Vulnerabilities (KEV) catalog** after evidence of **active exploitation**, putting **FCEB agencies** on a forced remed...
CISA adds four actively exploited flaws to KEV with FCEB deadlines
Public Sector ActionAbout this happening: CISA added **four vulnerabilities** to the **Known Exploited Vulnerabilities (KEV) catalog** after evidence of **active exploitation**, putting **FCEB agencies** on a forced remed...
BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation Wave
H score76
First: 12.02.2026 23:34
Last: 12.02.2026 23:34
Sources 1
About this happening:
**CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...
BeyondTrust Remote Support and Privileged Remote Access CVE-2026-1731 active exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-1731** in **BeyondTrust Remote Support** and **Privileged Remote Access** is now seeing **first in-the-wild exploitation**, putting exposed appliances at risk of remote...
Timeline
-
15.07.2026 14:07 2 articles · 2h ago
Chaotic Eclipse releases LegacyHive Windows User Profile Service PoC
Initial DisclosureChaotic Eclipse (aka Nightmare-Eclipse) releases LegacyHive, a stripped-down proof-of-concept for a Windows User Profile Service (ProfSvc) arbitrary hive-load elevation of privileges flaw on supported Windows desktop and server versions, including systems with the latest July 2026 Patch Tuesday update. The researcher says the original exploit did not require additional user credentials and was not limited to usrclass.dat, while the public PoC requires another standard user credential and a third username.
Show sources
- Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday — thehackernews.com — 15.07.2026 14:07
- Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday — thehackernews.com — 15.07.2026 14:07