A security researcher released a proof-of-concept zero-day exploit called LegacyHive that grants administrator access to up-to-date Windows systems [1].

The vulnerability is significant because it allows a standard user to escalate their privileges to a system administrator level. This bypasses critical security boundaries on operating systems that have already installed the latest security updates, potentially leaving millions of users and organizations vulnerable to unauthorized access.

The researcher, who uses the handle "Nightmare Eclipse" [1], identified a flaw within the Windows User Profile Service, also known as ProfSvc [2]. This exploit specifically targets the way the service handles user profiles to elevate permissions [3].

LegacyHive was released in July 2026 [3]. The release occurred only hours after Microsoft's Patch Tuesday, the monthly cycle used to distribute security fixes [3]. This timing suggests the vulnerability remained unpatched despite the most recent update cycle [3].

The exploit affects Windows operating systems globally [4]. This includes Windows 11 systems that are fully up-to-date with the July 2026 update [4]. While the exploit demonstrates a critical flaw, some reports indicate that the public build of the tool may require additional credentials to function fully [3].

Microsoft is currently investigating the flaw [5]. The researcher said the proof-of-concept was released to expose the vulnerability and encourage a fix [5]. No official patch has been issued to address the LegacyHive exploit as of this week [1].

LegacyHive can elevate a standard user to administrator on up-to-date Windows systems.

The emergence of LegacyHive highlights a persistent gap in the 'Patch Tuesday' cycle, where new vulnerabilities are discovered or released immediately after official updates. Because this exploit targets the User Profile Service—a core component of how Windows manages users—it represents a high-risk vector for local privilege escalation. Until Microsoft releases a specific fix, the security of updated Windows 11 systems relies on the fact that the public version of the exploit may still require certain credentials to execute.