- Researcher “Chaotic Eclipse” releases new Windows 11 zero-day dubbed LegacyHivea local privilege escalation bug that targets user registration
- Exploitation could let attackers elevate low-privileged accounts, but requires prior device access; no CVE or full PoC was published
- Experts warn that skilled actors could weaponize it quickly, urging intelligence teams to prepare mitigations despite lower perceived impact than previous releases
Chaotic Eclipse, the infamous security researcher with a Microsoft eye, did as they previously promised and released another zero-day vulnerability for fully patched Windows 11 devices.
However, other researchers do not see it as dangerous as some of their previous publications.
Chaotic Eclipse exposed a zero-day called LegacyHive, which is a local privilege escalation flaw (LPE) targeting Windows’ user hives.
Escalating privileges
A few months ago, a hacker/researcher with the alias Chaotic Eclipse began publishing working exploits for fully patched Windows 11 systems, all with PoCs, claiming that Microsoft acted against them in bad faith, arguing that the company does not treat researchers with the respect they deserve.
They released a total of seven exploits, some more damning than others, and promised to release a “bone-shattering” one on July 14, 2026. Meanwhile, Microsoft first criticized the researcher for not “responsibly” disclosing the bugs and at one point even threatened possible lawsuits. However, it did not sue the researcher and later backed off the threat altogether, in part as a result of strong public backlash.
In Windows, user hives are registry files that store configuration settings specific to an individual user account. These include desktop preferences, user-specific application settings, network drive mappings, user-specific security and privacy settings, and more.
With LegacyHive, threat actors could theoretically gain privileged read and write access to other users’ hives. Or in other words, they could turn low-privileged accounts into high-privileged ones. However, they had to gain access to the device first, which is one of the reasons why some security researchers don’t see it as catastrophic as Chaotic Eclipse’s previous work.
What also sets LegacyHive apart from some other releases is that this one was not released with a CVE ID or a fully functional Proof of Concept (PoC).
Still, security experts urge intelligence teams to act quickly because skilled threat actors can fill the gaps with relative ease and turn LegacyHive into a potent weapon.
Via The register

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



