News summary produced by Claude AI
An anonymous researcher operating under the pseudonym NightmareEclypse released exploit code on Tuesday targeting a zero-day vulnerability in Microsoft Windows, adding to a growing list of nine disclosed exploits attributed to this researcher. The vulnerability, dubbed HiveLegacy, enables users with limited system privileges to elevate their access and make unauthorized modifications to administrator accounts.
The exploit functions as an elevation-of-privilege attack that leverages a flaw in the Windows User Profile Service. Specifically, it allows attackers with low-level access to modify the classes registry hive of an administrator account, which controls which applications open specific file types in Windows Explorer. Security analysts characterize this capability as a significant vulnerability, noting that attackers could potentially execute malicious code in the context of administrator privileges without requiring admin status themselves. The attack requires knowledge of at least two user account names on the targeted system.
Security researchers have confirmed the exploit works and emphasized its potential for misuse. Analysts indicated that the vulnerability could serve as a foundation for more sophisticated attacks and could potentially be chained with other exploits to gain direct administrative access. One vulnerability analyst noted that the ability to manipulate an administrator’s registry represents a “powerful primitive” that could enable attackers to execute actions that don’t even require user interaction.
Microsoft confirmed awareness of the vulnerability report and stated it is investigating. The company reiterated its preference that security researchers follow coordinated disclosure protocols when reporting vulnerabilities. In the interim, Windows users can employ several defensive measures, including running detection scripts made available by independent security researchers, restricting local account creation, monitoring system processes for unusual activity, and tracking related registry file operations.