cognitive cybersecurity intelligence

News and Analysis

Search

New Windows LegacyHive 0-Day Vulnerability Allows Hackers to Gain Admin Access

New Windows LegacyHive 0-Day Vulnerability Allows Hackers to Gain Admin Access

A Windows zero-day vulnerability, dubbed LegacyHive (MSNightmare), abuses the User Profile Service to enable local privilege escalation, tampering with administrator accounts, and admin-level code execution.

LegacyHive targets the Windows User Profile Service (ProfSvc), which is responsible for loading and unloading user profiles and their registry hives during logon and logoff.

The public proof‑of‑concept (PoC) from the MSNightmare GitHub account describes the bug as a “Windows user profile service arbitrary hive load elevation of privileges vulnerability.”

In practical terms, LegacyHive lets a low‑privileged user mount another user’s registry hive, specifically the UsrClass.dat hive, into their own HKEY_CLASSES_ROOT, exposing that other user’s application data and configuration as if it were their own.

Security researcher Will Dormann demonstrated that by running LegacyHive.exe with a second standard user’s credentials, specifying an administrator account name, and then starting regedit.exe as that second user, the non‑admin gains direct access to the administrator’s Classes registry hive.

While the tool runs, a new pair of 1003 registry keys is loaded into HKEY_USERS, but their contents remain inaccessible (source: Wdormann)

Windows LegacyHive 0-Day Vulnerability

On its own, read‑only access to UsrClass.dat does not immediately expose password hashes or direct credential theft. However, it creates a powerful primitive: a non‑admin can modify an admin’s classes registry hive and hijack how that account launches applications or COM objects.

Dormann showed that a non‑admin could, for example, change the .txt file association in the admin’s hive to launch calc.exe instead of a text editor, illustrating how arbitrary code can be wired into the admin’s workflow.

More dangerously, an attacker can overwrite COM objects or shell extensions that load automatically when the administrator logs in, turning the hijacked hive into a persistence and code‑execution mechanism that runs with admin privileges during a normal sign‑in.

Because the execution occurs in the context of the legitimate admin account on their own machine, such activity can appear “normal,” making endpoint detection and response (EDR) tools less likely to flag it as suspicious.

NightmareEclipse’s public PoC was deliberately stripped down: it requires credentials for another standard user, is limited to the UsrClass.dat hive, and omits the generalized arbitrary hive loading logic.

LegacyHive loads an admin user’s Classes registry hive, allowing another user to access it via Regedit (source: Wdormann)

The researcher claims the original exploit did not require additional user credentials and could coerce ProfSvc (and even achieve kernel‑level impersonation as NT AUTHORITY\SYSTEM) to load any hive, greatly expanding its impact beyond user classes.

Despite Microsoft’s July 2026 Patch Tuesday fixing hundreds of CVEs, LegacyHive reportedly works on all currently supported Windows desktop and server editions that are fully patched through those updates, with no assigned CVE or dedicated security bulletin at the time of disclosure.

Microsoft has publicly stated that it is “aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims,” but organizations cannot yet rely on an official fix.

Early reverse‑engineering using tools like Process Monitor indicates that LegacyHive abuses how ProfSvc resolves and opens the target user’s UsrClass.dat via the Windows Object Manager and registry hive loading routines.

The initial access to usrClass.dat failed with ACCESS DENIED, but retrying as NT AUTHORITY\SYSTEM succeeded, granting file access (source: Wdormann)

Dormann observed that the initial attempt to open the target admin’s hive using a low‑privileged identity returns an ACCESS DENIED response.

However, a subsequent retry under an impersonated NT AUTHORITY\SYSTEM context succeeds, leaving the hive mounted and accessible to the attacker‑controlled user.

This behavior aligns with long‑standing quirks in Windows where kernel‑mediated impersonation and race conditions on file or registry operations can be abused to gain SYSTEM‑level effects, a pattern previously documented in Project Zero research on arbitrary file creation and classes hive hijacking.

LegacyHive appears to repurpose that pattern against ProfSvc, resulting in what researchers describe as an unpatched local privilege escalation path via arbitrary hive loading.

Because LegacyHive is local and post‑compromise, attackers must already have access to a Windows system and at least one non‑admin account before exploiting the bug. However, it then offers a route to sabotage higher‑privileged users and escalate privileges.

Until Microsoft ships a patch, defenders can reduce risk by restricting local login for privileged accounts, segmenting admin workstations, tightening monitoring around registry hive modifications, and closely watching COM/object registration changes in admin profiles.

Organizations should also treat systems where NightmareEclipse tools are found, LegacyHive and prior RoguePlanet/Defender exploits, as potentially compromised, given the researcher’s track record of functional PoC releases against fully patched Windows builds.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post New Windows LegacyHive 0-Day Vulnerability Allows Hackers to Gain Admin Access appeared first on Cyber Security News.

Source: cybersecuritynews.com –

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts