Skip to content
Security & Trust

A Windows Privilege-Escalation Exploit Just Shipped With No CVE Attached

LegacyHive works on fully patched July 2026 systems and has no CVE number yet — the eighth such disclosure from the same researcher since April.

· 4 min read
Share on X LinkedIn
A Windows Privilege-Escalation Exploit Just Shipped With No CVE Attached

A Vulnerability the Tracking System Can't See

Hours after Microsoft closed out its July 2026 Patch Tuesday, a researcher operating under the handle Chaotic Eclipse (also known as Nightmare-Eclipse) published a working proof-of-concept exploit for Windows called LegacyHive. It targets the Windows User Profile Service, the component that loads a user's registry hive at sign-in, and demonstrates how a standard account can mount another user's hive — administrator accounts included — into its own session. It runs on fully updated systems. Microsoft has not yet assigned it a CVE number. LegacyHive is the eighth CVE-less Windows disclosure from this researcher since April 2026, following BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma, and RoguePlanet. MSRC has publicly called the campaign 'irresponsible,' and at least three of the prior disclosures were weaponized by attackers before Microsoft could issue patches.

622 vulnerabilities fixed, among the largest single Patch Tuesday releases in recent memory
Patch Tuesday volume, same release cycle
Source: Microsoft Security Response Center, July 2026 Patch Tuesday (July 14, 2026)

That patch volume is among the largest in a single Microsoft release in recent memory, and the company has attributed part of the increase to AI-assisted vulnerability discovery running across its codebase. LegacyHive was not part of that batch. It surfaced independently, through public disclosure, in an escalating dispute between the researcher and Microsoft that has been running since April 2026 over response times for reported issues. Several prior disclosures in this campaign led to real-world exploitation before patches were available.

3 zero-days, 2 under active exploitation (CVE-2026-56155, CVE-2026-56164), 1 publicly disclosed (CVE-2026-50661)
Zero-days shipped in the same update
Source: Tenable, July 2026 Patch Tuesday analysis (July 14, 2026)

Why a Missing Number Matters More Than a Missing Patch

Enterprise vulnerability management is built around the CVE identifier as the unit of tracking. CISA's Known Exploited Vulnerabilities catalog is indexed by CVE. The EPSS exploitation-probability scoring system that many security teams use to prioritize patching is scored by CVE. Ticketing systems, scanner feeds, and board-level risk dashboards all key off that same identifier. A disclosed, working exploit with no CVE attached does not fail to rank in these systems — it does not appear in them at all.

1,300+ entries (as of mid-2026), all indexed by CVE ID
CISA Known Exploited Vulnerabilities catalog, current size
Source: CISA KEV Catalog

The CISA catalog has no slot for LegacyHive yet. That is not a flaw in CISA's methodology — it depends on an identifier that a vendor or a numbering authority has to assign, and assignment usually follows disclosure by days or weeks, not hours. Notably, several of this researcher's prior CVE-less disclosures did eventually receive CVE assignments and CISA catalog entries — the gap is temporary, but the exploitation window it creates is not.

The Gap Budget-Signers Are Actually Paying For

For an executive who approves a security budget built around CVE-driven feeds — vulnerability scanners that alert on matched CVE IDs, patch-management tools that queue by CVSS score, board reports that count open CVEs by severity — this specific case sits outside all three counts this week. That does not make it a routine miss; it is one disclosure, from one ongoing dispute, and it does not establish a pattern of exploits systematically evading CVE assignment. What it does establish is a concrete, present-tense example of the gap between 'no CVE yet' and 'no exploit exists.' Teams that treat CVE-indexed feeds as a complete picture of exposure are, for as long as a case like this remains unnumbered, working from an incomplete one.

The broader pattern here is worth watching. A researcher with a track record of dropping working exploits before vendors can respond has now demonstrated that the CVE-assignment process can be outrun by a motivated discloser. The tracking systems that enterprise security teams depend on — scanners, dashboards, prioritization engines — work because they assume identifier assignment keeps pace with disclosure. When it doesn't, the exploit exists in production but not in the system designed to flag it. For security teams, this campaign is a reminder that CVE-indexed feeds describe a known subset of exposure, not the complete picture. Monitoring for active exploit disclosure outside the CVE pipeline — researcher blogs, GitHub repositories, security mailing lists — is an operational gap most vuln-management programs do not yet close.

Share this insight