Announcement.

The PoC reportedly uses a carefully timed path-switching trick to make Windows mount another user’s Registry file, potentially an administrator’s, under a standard “helper” account.

Nightmare-Eclipse claims it works across supported Windows desktop and server builds patched through July 2026.

Nightmare-Eclipse says a private version could load arbitrary Registry hives, but that broader version has not been published.

Interestingly, Nightmare-Eclipse previously told us that vulnerability names are inspired by random events in his life. “LegacyHive” appears to break from that convention.

Deja vu: Microsoft patched this broad ProfSvc trust-boundary failure in 2015 as CVE-2015-0004, which also loaded another user’s hive. LegacyHive appears to use a new path-swap to revive that bug class.

As of writing: no CVE, no Microsoft advisory, no comment.

Text source: International Cyber Digest.