A researcher operating under the handles Chaotic Eclipse and Nightmare-Eclipse has published a new proof-of-concept exploit dubbed LegacyHive, targeting an elevation of privilege flaw in the Windows User Profile Service (ProfSvc). The disclosure landed just hours after Microsoft’s most recent Patch Tuesday release, raising questions about whether the issue was addressed in that update cycle.

ProfSvc is a core Windows component responsible for loading and unloading user registry hives during logon and logoff. According to the researcher’s description, LegacyHive abuses the service’s handling of arbitrary hive loads to escalate privileges on an affected system. Specifics on affected Windows versions and exploitation prerequisites have not been fully detailed in public reporting.

Part of a Pattern

This is not the researcher’s first high-profile release. In early June, the same individual published a separate PoC exploit, tracked in coverage as RoguePlanet, targeting a vulnerability in Windows Defender. That disclosure followed a string of other Microsoft zero-day releases attributed to the same researcher, suggesting a sustained focus on Windows core services and security tooling.

Microsoft has previously acted to contain the Defender-related issue, though details on remediation timelines and whether a formal patch was shipped were not fully specified in available reporting.

What Defenders Should Do

  • Monitor for updated guidance from Microsoft regarding ProfSvc and any related advisories tied to the LegacyHive PoC.
  • Review privilege escalation detection rules, particularly around unusual registry hive load operations tied to user profile creation or teardown.
  • Ensure endpoint protection and EDR telemetry captures anomalous ProfSvc process behavior, especially on multi-user or shared systems.
  • Track researcher disclosures from this actor going forward, given the pattern of rapid PoC releases following Microsoft’s monthly patch cycle.

No CVE identifier has been confirmed in current reporting for the LegacyHive flaw. Security teams should treat the PoC’s existence as an indicator that exploitation attempts could follow quickly, particularly on systems where local access is already available to an attacker or malicious insider.