CVE Tools
Back to feed
Хакер (xakep.ru) ·RU-RU Restricted PoC publicWindows User Profile Service (ProfSvc)UsrClass.dat registry hive

Опубликован эксплоит для 0-day-уязвимости LegacyHive в Windows

By Мария Нефёдова··2 min read
CVE Tools coverage

An anonymous security researcher known as Nightmare Eclipse has released a proof-of-concept (PoC) exploit called LegacyHive targeting a new zero-day vulnerability in Windows. The flaw enables non-privileged users to access registry hives of other accounts, including administrative ones. The exploit was made public just hours after Microsoft's July 2026 patch release.

LegacyHive exploits the Windows User Profile Service (ProfSvc) and its handling of registry hive loading during user login. By leveraging this mechanism, an attacker can attach another user’s UsrClass.dat hive to their own registry tree, allowing read and write access to sensitive data such as COM-class settings and file associations. This could be used to execute malicious code upon the next login of an administrator account.

According to expert Will Dormann from Tharros Labs, the ability to modify an admin hive is a powerful attack primitive. While the current PoC requires local access and knowledge of a regular user’s credentials, Nightmare Eclipse claims that the full exploit does not require these conditions and can target additional hive types. Researchers have already shared detection scripts, and administrators are advised to monitor for unusual hive loads and restrict local non-administrative accounts.