- “Chaotic Eclipse” researcher launches a new Windows 11 called zero day Legacy Hivea local privilege escalation bug targeting user registry hives
- The exploit could allow attackers to elevate low-privileged accounts, but requires prior access to the device; no full CVE or PoC published
- Experts warn that trained actors could quickly weaponize it, and urge intelligence teams to prepare mitigation measures even though the perceived impact is lower than previous versions.
Chaotic Eclipse, the infamous security researcher with a grudge against Microsoft, did what he previously promised and released another zero-day vulnerability for fully patched Windows 11 devices.
However, other researchers do not see it as dangerous as some of its previous releases.
Chaotic Eclipse revealed a zero-day called LegacyHive, which is a local privilege escalation (LPE) bug targeting hives of Windows users.
Growing privileges
A few months ago, a hacker/researcher with the alias Chaotic Eclipse began publishing working exploits for fully patched Windows 11 systems, all with PoC, claiming that Microsoft acted against them in bad faith and arguing that the company does not treat researchers with the respect they deserve.
They released a total of seven exploits, some more damning than others, and promised to release a “heartbreaking” one on July 14, 2026. Meanwhile, Microsoft first criticized the researcher for not disclosing the flaws in a “responsible” manner and, at one point, even threatened possible legal action. However, he did not sue the investigator and later backed away from the threat entirely, partly as a result of a strong public backlash.
On Windows, user hives are registry files that store configuration settings specific to an individual user account. These include desktop preferences, user-specific application settings, network drive mappings, user-specific security and privacy settings, and more.
With LegacyHive, threat actors could, in theory, gain targeted privileged read and write access to other users’ hives. Or, in other words, they could convert low-privilege accounts to high-privilege accounts. However, they would first need to gain access to the device, which is one reason some security researchers don’t see it as disastrous as Chaotic Eclipse’s previous work.
What also sets LegacyHive apart from other versions is that it was not released with a CVE identifier or a fully functioning proof of concept (PoC).
Still, security experts urge intelligence teams to work quickly, because trained threat actors can fill the gaps with relative ease and turn LegacyHive into a potent weapon.
Through The Registry

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




