The Hacker News24%
Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday 25%
By Ravie Lakshmanan25%
7/15/2026, 11:07:00 AM
BS Summary: This article contains 19 faulty reasoning types, including Appeal to Authority, Recency Bias, and Availability Heuristic, with Negativity Bias as the most egregious example at 22.4% saturation with 170 hits. Analysis detected 1,153 faulty-reasoning hits from 758 analyzed words, generating a BS Score of 37.4% and a BS Rank of 25% (12,009 of 15,985 articles). This article is better (less manipulative) than 75.10% of the article peer group.
Security researcher <b>Chaotic Eclipse</b> (aka <b>Nightmare-Eclipse</b>) has <a href="https://blog.projectnightcrawler.dev/posts/2026-07-14-legacyhive-public-disclosure/" target="_blank">released</a> a new proof-of-concept (PoC) exploit called LegacyHive.
It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability.
The Windows User Profile Service, also referred to as ProfSvc, is a core system component that manages user accounts and environments.
"The PoC requires another standard user credential and a third username (which can be an administrator account)," Chaotic Eclipse <a href="https://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive" target="_blank">said</a>.
"If the PoC is successful, it will end up mounting the target user hive in the current user classes root."
The researcher said the exploit was stripped down to prevent public exploitation, adding the original exploit did not require additional user credentials and was not limited to the "usrclass.dat" hive.
"Any hive could be loaded using this vulnerability, but you would need some brain cells to make the PoC do it," the researcher noted.
What makes it notable is that it's functional on all supported desktop and server versions of Windows, including those running the latest July 2026 Patch Tuesday update.
Chaotic Eclipse and Microsoft have been <a href="https://thehackernews.com/2026/05/microsoft-slams-public-zero-day.html" target="_blank">locked in a heated dispute</a> since at least April 2026, with the researcher releasing details of multiple exploits before the Windows maker had a chance to patch them, citing a breakdown in communication.
Three of the vulnerabilities in Microsoft Defender came under active exploitation shortly after public disclosure.
Earlier this month, the tech giant released security updates for another Defender vulnerability known as RoguePlanet that was disclosed by the researcher.
However, it emerged that the newly introduced "defense-in-depth updates" to address the flaw can cause Microsoft Defender to leak 8 bytes of data when attempting to open a file in certain scenarios.
Microsoft <a href="https://thehackernews.com/2026/07/microsoft-patches-rogueplanet-defender.html" target="_blank">told</a> The Hacker News that it's investigating the new report.
We have contacted the company for comment regarding LegacyHive, and we will update the story if we hear back.
<h3>SharePoint Server Flaws in Spotlight</h3>
The development comes as Microsoft shipped patches for a <a href="https://thehackernews.com/2026/07/microsoft-patches-record-622-flaws.html" target="_blank">record 622 flaws</a>, including two privilege escalation shortcomings in SharePoint Server (CVE-2026-56164, CVSS score: 5.3) and Active Directory Federation Services (CVE-2026-56155, CVSS score: 7.8) that have been flagged as actively exploited.
The U.S.
Cybersecurity and Infrastructure Security Agency (CISA) has <a href="https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-adds-four-known-exploited-vulnerabilities-catalog" target="_blank">added</a> both vulnerabilities to its Known Exploited Vulnerabilities (<a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" target="_blank">KEV</a>) catalog, which mandates that Federal Civilian Executive Branch (FCEB) agencies apply the fixes by July 17 and July 28, 2026, respectively.
"After years of relative stability, the Patch Tuesday process has experienced significant turbulence so far in 2026," Adam Barnett, lead software engineer at Rapid7, said in a statement.
"As well as the AI-fuelled exponential growth of vulnerability reporting and discovery, Microsoft is grappling with the emergence of a series of vulnerabilities disclosed in such a way as to bring maximum discomfort for Redmond."
In a separate advisory, the agency <a href="https://www.cisa.gov/news-events/alerts/2026/07/14/cisa-urges-sharepoint-hardening-after-new-exploitations" target="_blank">said</a> it's aware of active exploitation of multiple SharePoint Server flaws, including <a href="https://www.cve.org/CVERecord?
id=CVE-2026-32201" target="_blank">CVE-2026-32201</a>, <a href="https://www.cve.org/CVERecord?
id=CVE-2026-45659" target="_blank">CVE-2026-45659</a>, and CVE-2026-56164, that enable cyber threat actors to gain unauthorized access to susceptible instances.
"These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware," CISA said.
"The flaw stems from missing authentication for a critical function, enabling an attacker to reach functionality that should require authorization," Alex Vovk, CEO and co-founder of Action1, said about CVE-2026-56164.
"An attacker can send specially crafted network requests to access functionality that should require authentication, resulting in privilege escalation.
The vulnerability primarily impacts system integrity by allowing unauthorized actions without requiring prior authentication or user interaction.
Internet-facing SharePoint servers are particularly exposed because the attack can be performed remotely without valid credentials."
It's worth noting that the July 2026 update also addresses another critical SharePoint Server security feature bypass vulnerability (<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55040" target="_blank">CVE-2026-55040</a>, CVSS score: 9.1) that a remote unauthenticated attacker could exploit to bypass authentication on a vulnerable SharePoint server and perform operations as a SharePoint site user or administrator.
"The vulnerability is due to several issues in the JWT token validation pipeline," Rapid7 <a href="https://www.rapid7.com/blog/post/ve-cve-2026-55040-microsoft-sharepoint-jwt-token-authentication-bypass-fixed/" target="_blank">said</a>.
"An attacker who successfully exploits CVE-2026-55040 can perform operations against the target SharePoint site as the user they identify as.
Furthermore, this authentication bypass can be chained to additional vulnerabilities within the authenticated attack surface of the target site."
Analysis
Hover over highlighted words in the article to view the associated bias or fallacy analysis.