Cybersecurity & Protection

Legacyhive: Researcher Publishes Unpatched Windows Privilege Escalation Exploit

Jul 17, 2026 2 min read
All articles

A security researcher using the pseudonym Chaotic Eclipse (also known as Nightmare Eclipse) has published a new zero-day exploit for Windows. Named Legacyhive, it enables privilege escalation on all current Windows desktop and server versions. No patch exists yet.

How Legacyhive Works

Legacyhive exploits the way Windows registry hives can be mounted within a standard user's Classes directory. An attacker only needs access to two standard user accounts to execute actions with administrator privileges. Specifically, registry structures associated with an admin account can be mounted in the context of a regular user.

Security researchers Kevin Beaumont and Will Dormann independently confirmed the exploit works. Beaumont describes one attack path: an attacker overwrites a COM object that loads during logon. When an admin logs in afterward, malicious code runs automatically with their privileges.

The researcher states the exploit code was intentionally weakened to prevent widespread misuse. In its original form, no second standard user is reportedly needed, and arbitrary hives can be transferred without restriction. Beaumont has published detection rules on GitHub that IT administrators can use as a temporary mitigation.

Background and Microsoft's Response

The release was timed to coincide with Microsoft's July Patch Tuesday, consistent with the researcher's previous leaks. Chaotic Eclipse has publicly described a long-running dispute with Microsoft over vulnerability handling.

Microsoft confirmed the publication and stated it is investigating the underlying vulnerability. A patch timeline has not been provided. In the meantime, IT administrators should tighten user account controls, limit unnecessary standard accounts, and deploy Beaumont's detection rules.