Windows 0-day disclosed on same day Microsoft releases record number of patches
A new Windows zero-day vulnerability, dubbed HiveLegacy, has been publicly disclosed on the same day Microsoft issued a record-breaking number of security patches, potentially allowing non-admin users to gain administrator privileges.

Security researchers have revealed a Windows zero-day vulnerability called HiveLegacy. The flaw enables a non-administrative user to modify the registry classes hive of an administrator user, which could lead to full system compromise.
Will Dormann, senior principal vulnerability analyst at Tharros Labs, explained that an attacker could set up the system to execute their code when an admin logs in. This would grant the attacker de facto administrator privileges without needing to be an admin themselves. Dormann described the ability to modify an admin's classes registry hive as a powerful primitive, noting that clever attackers will easily find ways to exploit it, potentially even without user interaction.
Another analyst detailed that when a new user logs on, Windows loads the user's class hive in the context of NT AUTHORITY\SYSTEM because the user is not yet logged in. HiveLegacy abuses this loading process.
Microsoft acknowledged the vulnerability report and stated that it is investigating. The company emphasized its preference for coordinated disclosure. In the meantime, Windows users can run a detection script published by independent researcher Kevin Beaumont to check if their systems are vulnerable. Additional defenses include restricting local non-admin account creation, monitoring ProfSvc for unexpected hive loads, and tracking NTUSER.DAT / UsrClass.dat activity.


