Windows User Profile Service zero-day privilege-escalation flaw (LegacyHive)
Vulnerability
Summary
Hide ▲
Show ▼
A public LegacyHive zero-day against Windows User Profile Service can escalate privileges on up-to-date Windows systems, creating admin-level compromise risk. The exploit appeared hours after Microsoft's July 2026 Patch Tuesday and has no CVE ID yet. Testing showed the flaw can let non-admin users alter the classes registry hive and trigger automatic code execution when an administrator logs in. The PoC was later modified to require extra credentials, but it still gives attackers a usable starting point for weaponization.
Related Happenings
Windows User Profile Service arbitrary hive load elevation of privileges privilege-escalation flaw
Vulnerability
H score11
First: 15.07.2026 14:07
Last: 15.07.2026 14:07
Sources 1
About this happening:
A new LegacyHive proof-of-concept exposes a Windows User Profile Service (ProfSvc) arbitrary hive-load elevation-of-privileges flaw on supported Windows desktop and...
Windows User Profile Service arbitrary hive load elevation of privileges privilege-escalation flaw
VulnerabilityAbout this happening: A new LegacyHive proof-of-concept exposes a Windows User Profile Service (ProfSvc) arbitrary hive-load elevation-of-privileges flaw on supported Windows desktop and...
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation Wave
H score41
First: 30.06.2026 11:53
Last: 30.06.2026 11:53
Sources 1
About this happening:
CISA has flagged BlueHammer (CVE-2026-33825) as exploited in ransomware campaigns, expanding the risk to Windows devices exposed to privilege escalation. The flaw in *...
Microsoft Defender BlueHammer (CVE-2026-33825) ransomware exploitation wave
Exploitation WaveAbout this happening: CISA has flagged BlueHammer (CVE-2026-33825) as exploited in ransomware campaigns, expanding the risk to Windows devices exposed to privilege escalation. The flaw in *...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
Vulnerability
H score39
First: 10.06.2026 02:11
Last: 10.06.2026 02:11
Sources 1
About this happening:
Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
VulnerabilityAbout this happening: Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Latest development: 10.06.2026 08:22
The anonymous security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, released a proof-of-concept (PoC) exploit for the Microsoft Defender zero-day RoguePlanet under a new GitHub account named MSNightmare. The race-condition exploit can yield a SYSTEM-level shell and arbitrary code execution when it succeeds, has been tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed, and currently does not work on Windows Server without redesign because standard users cannot mount an ISO image.
Windows Collaborative Translation Framework CTFMON improper link resolution EoP security flaw (CVE-2026-45586)
Vulnerability
H score20
First: 09.06.2026 20:57
Last: 09.06.2026 20:57
Sources 1
About this happening:
Windows Collaborative Translation Framework (CTFMON) has a local privilege-escalation vulnerability, CVE-2026-45586, that Microsoft patched in June 2026. An author...
Windows Collaborative Translation Framework CTFMON improper link resolution EoP security flaw (CVE-2026-45586)
VulnerabilityAbout this happening: Windows Collaborative Translation Framework (CTFMON) has a local privilege-escalation vulnerability, CVE-2026-45586, that Microsoft patched in June 2026. An author...
Microsoft SharePoint remote code execution (CVE-2026-45659)
Vulnerability
H score17
First: 26.05.2026 14:49
Last: 26.05.2026 14:49
Sources 1
About this happening:
Microsoft SharePoint CVE-2026-45659 is a remote code execution vulnerability that lets an authenticated attacker with Site Member permissions run code over the...
Microsoft SharePoint remote code execution (CVE-2026-45659)
VulnerabilityAbout this happening: Microsoft SharePoint CVE-2026-45659 is a remote code execution vulnerability that lets an authenticated attacker with Site Member permissions run code over the...
Timeline
-
17.07.2026 14:05 2 articles · 0h ago
Nightmare Eclipse releases LegacyHive Windows zero-day PoC
Initial DisclosureSecurity researcher Nightmare Eclipse released LegacyHive, a Windows zero-day proof-of-concept that abuses the Windows User Profile Service to escalate privileges on up-to-date Windows systems. The PoC was released hours after Microsoft’s July 2026 Patch Tuesday updates, had no CVE ID yet, and was modified to require additional standard-user credentials and a third username to make public weaponization harder. Testing by Will Dormann showed that successful exploitation can let a non-admin modify the classes registry hive and trigger automatic code execution when an administrator later logs in, and Kevin Beaumont later published Microsoft Defender for Endpoint detection queries for the exploit.
Show sources
- New Windows LegacyHive zero-day gives hackers admin privileges — www.bleepingcomputer.com — 17.07.2026 14:05
- New Windows LegacyHive zero-day gives hackers admin privileges — www.bleepingcomputer.com — 17.07.2026 14:05