A Vulnerability the Tracking System Can't See
Hours after Microsoft closed out its July 2026 Patch Tuesday, a researcher operating under the handle Chaotic Eclipse (also known as Nightmare-Eclipse) published a working proof-of-concept exploit for Windows called LegacyHive. It targets the Windows User Profile Service, the component that loads a user's registry hive at sign-in, and demonstrates how a standard account can mount another user's hive — administrator accounts included — into its own session. It runs on fully updated systems. Microsoft has not yet assigned it a CVE number. LegacyHive is the eighth CVE-less Windows disclosure from this researcher since April 2026, following BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma, and RoguePlanet. MSRC has publicly called the campaign 'irresponsible,' and at least three of the prior disclosures were weaponized by attackers before Microsoft could issue patches.
That patch volume is among the largest in a single Microsoft release in recent memory, and the company has attributed part of the increase to AI-assisted vulnerability discovery running across its codebase. LegacyHive was not part of that batch. It surfaced independently, through public disclosure, in an escalating dispute between the researcher and Microsoft that has been running since April 2026 over response times for reported issues. Several prior disclosures in this campaign led to real-world exploitation before patches were available.
Why a Missing Number Matters More Than a Missing Patch
Enterprise vulnerability management is built around the CVE identifier as the unit of tracking. CISA's Known Exploited Vulnerabilities catalog is indexed by CVE. The EPSS exploitation-probability scoring system that many security teams use to prioritize patching is scored by CVE. Ticketing systems, scanner feeds, and board-level risk dashboards all key off that same identifier. A disclosed, working exploit with no CVE attached does not fail to rank in these systems — it does not appear in them at all.
The CISA catalog has no slot for LegacyHive yet. That is not a flaw in CISA's methodology — it depends on an identifier that a vendor or a numbering authority has to assign, and assignment usually follows disclosure by days or weeks, not hours. Notably, several of this researcher's prior CVE-less disclosures did eventually receive CVE assignments and CISA catalog entries — the gap is temporary, but the exploitation window it creates is not.
The Gap Budget-Signers Are Actually Paying For
For an executive who approves a security budget built around CVE-driven feeds — vulnerability scanners that alert on matched CVE IDs, patch-management tools that queue by CVSS score, board reports that count open CVEs by severity — this specific case sits outside all three counts this week. That does not make it a routine miss; it is one disclosure, from one ongoing dispute, and it does not establish a pattern of exploits systematically evading CVE assignment. What it does establish is a concrete, present-tense example of the gap between 'no CVE yet' and 'no exploit exists.' Teams that treat CVE-indexed feeds as a complete picture of exposure are, for as long as a case like this remains unnumbered, working from an incomplete one.
The broader pattern here is worth watching. A researcher with a track record of dropping working exploits before vendors can respond has now demonstrated that the CVE-assignment process can be outrun by a motivated discloser. The tracking systems that enterprise security teams depend on — scanners, dashboards, prioritization engines — work because they assume identifier assignment keeps pace with disclosure. When it doesn't, the exploit exists in production but not in the system designed to flag it. For security teams, this campaign is a reminder that CVE-indexed feeds describe a known subset of exposure, not the complete picture. Monitoring for active exploit disclosure outside the CVE pipeline — researcher blogs, GitHub repositories, security mailing lists — is an operational gap most vuln-management programs do not yet close.


