Windows 'LegacyHive' zero-day hands ordinary users admin power on fully patched PCs
A researcher published working attack code hours after Microsoft's July 2026 patches, and it still works. Microsoft has no fix yet, and no CVE has been assigned.

Key points
- A researcher using the handle Nightmare Eclipse published a working Windows zero-day exploit called LegacyHive in July 2026, hours after Microsoft's monthly patches.
- The flaw sits in the Windows User Profile Service and lets a standard user gain administrator control when an admin later logs in.
- Microsoft has not yet issued a patch or a CVE tracking number for the bug.
- Will Dormann of Tharros confirmed the exploit works on up-to-date Windows systems.
- Kevin Beaumont has published detection rules for Microsoft Defender for Endpoint so defenders can spot the attack.
A security researcher who goes by Nightmare Eclipse has released working attack code for a fresh Windows flaw. They call it LegacyHive. It lets a normal user on a Windows PC quietly promote themselves to administrator, meaning full control of the machine.
The code appeared just hours after Microsoft's July 2026 Patch Tuesday, the monthly bundle of security fixes Microsoft ships on the second Tuesday of every month. The bug it targets was not in that bundle. There is no fix yet.
There is not even a CVE number yet. A CVE is the standard ID (in the form CVE-YYYY-NNNNN) that the industry uses to track a specific software flaw. Without one, defenders have to describe the bug the long way round.
How does the attack actually work?
The flaw lives in a piece of Windows called the User Profile Service, which sets up your desktop, files and settings when you sign in. Nightmare Eclipse found a way to abuse it so a non-admin can tamper with part of the Windows registry (the internal settings database) that belongs to another user, including an administrator.
Once that tampering is in place, the attacker waits. The next time an administrator logs into the same machine, code chosen by the attacker runs automatically, with admin rights.
Will Dormann, principal vulnerability analyst at Tharros, tested the public code and confirmed it works. As a harmless demonstration, he made Windows open the calculator app whenever anyone double-clicked a text file. Swap the calculator for malware and the joke stops being funny.
Is this as bad as it sounds?
Mostly, but with one important caveat. Nightmare Eclipse deliberately watered down the public code before releasing it. The version anyone can download needs a second set of standard user credentials and a third username to work, which is an unusual hurdle.
In the researcher's own words, the original version needed none of that and could load "any hive" (any chunk of the registry), not just the user's. So the bug itself is more powerful than the proof of concept suggests. A skilled attacker could likely rebuild the stronger version.
Multi-factor authentication would not help here. This is not a login attack. The attacker already has a working account on the machine and is climbing from standard user to admin, which is a permissions problem, not an identity one.
What can defenders do right now?
One day after the code dropped, security researcher Kevin Beaumont published detection queries for Microsoft Defender for Endpoint, Microsoft's enterprise security product. Organisations running it can paste those queries in and start hunting.
Admins should also avoid logging into shared workstations with a privileged account until Microsoft ships a fix. If an admin never logs in, the trap never springs.
Why is Microsoft not happy?
Nightmare Eclipse has been on a roll. Over recent months they have dropped zero-days affecting Microsoft Defender, BitLocker and other Windows components, with names like RoguePlanet, BlueHammer, RedSun, YellowKey, GreenPlasma, MiniPlasma and UnDefend. Microsoft patched several of these in the June and July 2026 updates.
As BleepingComputer noted, Microsoft has responded with public warnings about legal action against those causing "real harm to our customers." Several researchers read that as a shot aimed squarely at Nightmare Eclipse. Microsoft did not provide comment in time.
Until Microsoft ships a patch, the safest posture is simple. Assume any shared Windows machine where non-admins can log in is a potential trap for the next admin to sign in.



