Nightmare Eclipse Releases 'LegacyHive' Windows Zero-Day on Patch Tuesday

A prolific anonymous researcher drops yet another unpatched Windows flaw, this time one that lets ordinary users quietly take control of administrator accounts.

ThreatVectr Newsdesk· 3 min read
Photoreal editorial shot of a dimly lit server rack with amber warning LEDs reflecting off polished metal, rows of patch cables in soft focus, cool blue ambient
Share

Key points

  • Nightmare Eclipse published the LegacyHive exploit on 8 July 2026, the same day Microsoft released its scheduled monthly security fixes.
  • LegacyHive is an unpatched flaw in the Windows User Profile Service that lets a standard user load and access another user's account data, including an administrator's.
  • The researcher stripped the published proof-of-concept code, meaning the release is deliberately incomplete to limit opportunistic criminal use.
  • Nightmare Eclipse has now published more than eight unpatched Windows flaws; at least three of them, BlueHammer, RedSun, and UnDefend, have been used in real attacks.
  • Microsoft had not publicly acknowledged LegacyHive at the time of publication, as first reported by SecurityWeek.

A researcher going by Nightmare Eclipse, also known as Chaotic Eclipse, published a new unpatched Windows security flaw this week. The timing was pointed: the release landed on 8 July 2026, the same day Microsoft issued its regular monthly batch of security fixes, known in the industry as Patch Tuesday.

The flaw is called LegacyHive. It sits inside a Windows component called the User Profile Service, which manages the personal settings and data stored for each person who logs into a computer. A "hive" is simply a bundle of that stored data. The bug is a local privilege escalation vulnerability, meaning someone who already has basic access to a machine can use it to climb up to a much more powerful level, specifically, reading the account data of other users, including administrators who have full control of the system.

How dangerous is this, really?

In plain terms, a criminal who had already found a way onto your work computer at a low level could use LegacyHive to grab administrator credentials and take over completely. That is a serious step up. However, the researcher deliberately published a stripped-down version of the working code, a proof-of-concept that demonstrates the flaw exists but leaves out the pieces needed for a clean, instant attack. Nightmare Eclipse says the full, more powerful version, which required no user credentials at all, is still possible to recreate but would take additional work.

This researcher is not new to this kind of disclosure. Nightmare Eclipse has now released more than eight zero-days, meaning flaws that the software maker did not know about, in Microsoft products. Three of those earlier releases, BlueHammer, RedSun, and UnDefend, were picked up and used in real attacks before any patch was available. The others, GreenPlasma, RoguePlanet, YellowKey, and GreatXML, remain unpatched as of this writing.

Microsoft has not yet commented on LegacyHive.

If you manage computers at work, the practical priority right now is ensuring your systems are running the latest July 2026 Windows patches, even though those patches do not fix LegacyHive. Applying them closes other known holes that criminals routinely chain together with flaws exactly like this one. Monitor for any unexpected changes to administrator accounts, and limit the number of people who hold administrator-level access in the first place.

© 2026 Threat Vectr