Microsoft’s nemesis returns with another Zero Day PoC, but it is

Microsoft’s nemesis returns with another Zero Day PoC, but it is

A laptop with the Windows 11 desktop on the screen, shiny, on a desk
(Image credit: Shutterstock/Ham Patipak)

  • “Chaotic Eclipse” researcher launches new Windows 11 called Zero Day LegacyHivea local privilege escalation bug targeting user registry hives
  • The exploit could allow attackers to elevate low-privilege accounts, but requires prior access to the device; no full CVE or PoC has been published
  • Experts warn that skilled actors could quickly use it as a weapon, urging intelligence teams to prepare mitigation measures despite a perceived lower impact than previous versions.

Chaotic Eclipse, the famous security researcher with a grudge against Microsoft, has done what it previously promised and released another zero-day vulnerability for fully patched Windows 11 devices.

However, other researchers do not consider it as dangerous as some of their previous versions.

Chaotic Eclipse has disclosed a zero-day called LegacyHive, which is a local privilege escalation (LPE) bug targeting Windows user hives.

Escalation of privileges

A few months ago, a hacker/researcher going by the pseudonym Chaotic Eclipse began publishing working exploits for fully patched Windows 11 systems, all with PoC, claiming that Microsoft had acted against them in bad faith and arguing that the company was not treating researchers with the respect they deserve.

They released a total of seven exploits, some more damning than others, and promised to release a “shattering” one on July 14, 2026. In the meantime, Microsoft initially criticized the researcher for not disclosing the flaws “responsibly”, and at one point even threatened possible legal action. However, he did not pursue legal action against the researcher and later backed away from the threat altogether, in part due to strong public backlash.

In Windows, user hives are registry files that store configuration settings specific to an individual user account. These include desktop preferences, user-specific application settings, network drive mappings, user-specific security and privacy settings, etc.

With LegacyHive, malicious actors could, in theory, gain privileged read-write access by targeting other users’ hives. Or, in other words, they could turn low-privileged accounts into high-privileged accounts. However, they would need to gain access to the device first, which is one reason why some security researchers don’t consider it as disastrous as Chaotic Eclipse’s previous work.

Sign up for the TechRadar Pro newsletter to get all the top news, opinions, features and tips your business needs to succeed!

What also makes LegacyHive different from some other versions is that this one was not released with a CVE identifier or a fully functional proof of concept (PoC).

Still, security experts urge intelligence teams to work quickly, as skilled bad actors can fill in the gaps with relative ease and turn LegacyHive into a powerful weapon.

Via The register



Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.


Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). During his career, which spans more than a decade, he has written for numerous media outlets, including Al Jazeera Balkans. He has also hosted several modules on content writing for Represent Communications.

Exit mobile version