Press TechRound interviews Secure.com CEO on the future of AI security
Read

Half an Hour After Patch Tuesday, Someone Dropped a Working Exploit Microsoft Cannot Fix Yet

A researcher dropped a working LegacyHive exploit for an unpatched Windows privilege escalation flaw hours after July Patch Tuesday shipped.

Dateline: July 15, 2026

No CVE, No Patch, Working Code: Inside the LegacyHive Windows Exploit

Microsoft shipped 622 fixes on July 14. About thirty minutes later, a researcher published code for a hole that was not among them.

The exploit is called LegacyHive. It targets the Windows User Profile Service, it works on every supported desktop and server build, and it works on the ones you patched yesterday. There is no CVE. There is no advisory. There is a public repository with source code and a README.

What Happened?

The researcher goes by Chaotic Eclipse, also known as Nightmare-Eclipse and MSNightmare. Repository timestamps show the code and README went up roughly eleven hours before the release went public, dated July 14 at 19:41 CEST. MIT licensed. Free to anyone.

The bug lives in ProfSvc, the User Profile Service, which runs at SYSTEM integrity and handles user accounts and environments. CrowdStrike’s read of it: the attack coerces that SYSTEM level service into loading an attacker controlled registry hive.

The chain uses symbolic links and directory objects to redirect the service’s file operations during logon. Land it, and a standard user mounts another user’s hive, including an administrator’s, into their own classes root.

The public version is deliberately hobbled. It needs credentials for a second standard user plus the username of a third account, and it only touches usrclass.dat. The researcher says the original had neither limit, that any hive could be loaded, and that turning the stripped build back into the real thing takes some thinking. Read that as a speed bump, not a lock.

What’s the Impact?

Look at the pattern, not this one bug.

Since April, this researcher has published Windows zero days without coordinating with Microsoft, citing a communications breakdown. Six drops so far, including BlueHammer, RedSun, and UnDefend. Three Microsoft Defender flaws came under active attack shortly after they went public. CISA added several to its KEV catalog. Microsoft condemned the releases, killed the researcher’s accounts, and hinted at legal action. The feud is now roughly a quarter old and shows no sign of ending.

So the question is not whether LegacyHive gets weaponized. It is how fast.

Privilege escalation is the second act of almost every intrusion. Phishing gets a foothold as a standard user. This turns that user into SYSTEM. Multi user boxes and terminal servers are the worst case, since a standard account there is not hard to come by.

Rapid7’s Adam Barnett put the year in context, noting Patch Tuesday has hit real turbulence in 2026 after years of calm, with AI accelerating vulnerability discovery while Microsoft handles disclosures timed for maximum discomfort.

There is no fix to apply. That is the whole story.

How to Avoid This

Tighten who can hold local standard accounts. The public PoC needs a second set of credentials, so account sprawl is the prerequisite you can actually take away today. Audit dormant and shared local accounts on terminal servers first.

Watch ProfSvc for hive loads that make no sense. Flag unexpected reads and writes against NTUSER.DAT and UsrClass.dat, and look for junction or symbolic link creation in profile directories by non SYSTEM processes.

Alert on registry activity under user classes roots that does not match the logged on user.

Test the PoC only in an isolated lab you are authorized to break, and track Microsoft’s advisory feed for the eventual fix.

IOCs

No CVE, no confirmed exploitation, no vendor telemetry, so nobody has published indicators. Anyone selling you a LegacyHive IOC list today made it up. Hunt behaviorally instead:

ProfSvc (svchost.exe hosting profsvc) loading hive files from outside expected profile paths Symbolic link or directory object creation targeting profile paths during logon Registry hive mounts under HKCU classes root that do not match the current user Access to another user’s UsrClass.dat or NTUSER.DAT by a standard user process Compilation or execution of unfamiliar binaries named around the LegacyHive project

The Patch Landed. The Hole Is Still Open.

Patch cycles assume a fix exists. This one does not, and your calendar has no answer for that.

Secure.com’s Infrastructure Security Teammate works the gap:

  • Correlates public PoC drops against your actual asset inventory, so you know which terminal servers and multi user hosts are in range before a CVE ever gets assigned
  • Maps the attack path from one standard account to SYSTEM to whatever sits downstream, which is the part that decides how bad this gets
  • Flags local account sprawl and dormant standard users, the exact prerequisite the public exploit needs
  • Turns behavioral hunting hypotheses into SIEM correlation rules instead of leaving them in a blog post
  • Watches KEV daily and re-ranks priority the moment “no known exploitation” stops being true