
- “Chaotic Eclipse” researcher launches new Windows 11 called Zero Day LegacyHivea local privilege escalation bug targeting user registry hives
- The exploit could allow attackers to elevate low-privilege accounts, but requires prior access to the device; no full CVE or PoC has been published
- Experts warn that skilled actors could quickly use it as a weapon, urging intelligence teams to prepare mitigation measures despite a perceived lower impact than previous versions.
Chaotic Eclipse, the famous security researcher with a grudge against Microsoft, has done what it previously promised and released another zero-day vulnerability for fully patched Windows 11 devices.
However, other researchers do not consider it as dangerous as some of their previous versions.
Chaotic Eclipse has disclosed a zero-day called LegacyHive, which is a local privilege escalation (LPE) bug targeting Windows user hives.
Escalation of privileges
A few months ago, a hacker/researcher going by the pseudonym Chaotic Eclipse began publishing working exploits for fully patched Windows 11 systems, all with PoC, claiming that Microsoft had acted against them in bad faith and arguing that the company was not treating researchers with the respect they deserve.
They released a total of seven exploits, some more damning than others, and promised to release a “shattering” one on July 14, 2026. In the meantime, Microsoft initially criticized the researcher for not disclosing the flaws “responsibly”, and at one point even threatened possible legal action. However, he did not pursue legal action against the researcher and later backed away from the threat altogether, in part due to strong public backlash.
In Windows, user hives are registry files that store configuration settings specific to an individual user account. These include desktop preferences, user-specific application settings, network drive mappings, user-specific security and privacy settings, etc.
With LegacyHive, malicious actors could, in theory, gain privileged read-write access by targeting other users’ hives. Or, in other words, they could turn low-privileged accounts into high-privileged accounts. However, they would need to gain access to the device first, which is one reason why some security researchers don’t consider it as disastrous as Chaotic Eclipse’s previous work.
What also makes LegacyHive different from some other versions is that this one was not released with a CVE identifier or a fully functional proof of concept (PoC).
Still, security experts urge intelligence teams to work quickly, as skilled bad actors can fill in the gaps with relative ease and turn LegacyHive into a powerful weapon.
Via The register
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.