Nightmare Eclipse drops 9th Windows security issue amid ongoing personal vendetta against Microsoft
The infamous researcher has delivered yet more chaos.

Image by Cybernews.
- The researcher claims the vulnerability allows a non-administrative Windows user to mount and potentially modify an administrator’s registry hive.
- The released PoC is intentionally limited – the full exploit allegedly affects all supported Windows desktop and server installations.
- This disclosure is the 9th in a series of vulnerability releases from Nightmare Eclipse, who has been critical of Microsoft’s handling of vulnerability reports.
Nightmare Eclipse, a rogue security researcher known for publicly disclosing Windows zero-days, dropped a new proof of concept privilege escalation exploit just hours after Microsoft’s July Patch Tuesday. The researcher’s posts have turned more pessimistic recently, but the pace of new discoveries shows no signs of slowing.
Nightmare Eclipse added a ninth public repository with a fresh Windows zero-day vulnerability dubbed LegacyHive. Microsoft hasn’t publicly confirmed the issue yet. However, previous disclosures forced the company to acknowledge and address the vulnerabilities.
The new proof of concept targets the Windows user profile service, which loads and unloads user profiles during sign-ins. It contains settings and information for each user account.
The researcher found that the service can be tricked into mounting another user’s registry hive – a file containing Windows and user-specific settings. Essentially, this enables a non-administrative user to access and modify another user’s registry data, potentially including an administrator's registry data – a path that leads to elevated privileges.
“The PoC (proof of concept) was stripped down as an attempt to prevent public exploitation,” the researcher said in the new repository.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
The code isn’t a full exploit – it only demonstrates that Windows fails to keep users’ settings separate – attackers can manipulate the system into loading another user’s registry hive into their own session.
The intentionally limited exploit requires credentials for another standard user and only targets the UsrClass.dat hive. However, according to the researcher, the original unreleased version does not have these restrictions and can load arbitrary hives without credentials.
“Any hive could be loaded using this vulnerability, but you would need some brain cells to make the PoC do it,” Nightmare Eclipse said.
The researcher also warned that the exploit works on all currently supported Windows desktop and server installations with the latest July patch applied.
If true, this type of vulnerability could give threat actors who have already gained initial access to a Windows system significant leverage, allowing them to target higher-privileged users.
Nightmare-Eclipse has spent the past few months publicly disclosing major vulnerabilities in Defender, BitLocker, and other parts of Windows, over what they describe as severe mistreatment by the tech giant, claiming that Microsoft’s actions ruined their life.
This resonated broadly with the security community and has earned the researcher a significant following on X and other platforms. Especially after Microsoft issued a controversial statement that some researchers interpreted as a legal warning over bypassing the company’s coordinated disclosure process.
After a series of exploit releases, Nightmare Eclipse was banned from GitHub and later GitLab and had to migrate their blog. The vendetta seems to be taking a toll on the researcher.
“I got incredibly depressed, and I was unable to get back up again and start writing code, and I started questioning this whole thing in general,” Nightmare Eclipse claimed in June.
“Usually, Microsoft just does something that pisses me off so much I end up dropping bugs, but recently, they have been silent, which contributed a bit to my pause. Unlike what they did for the past years, they seemingly chose to let the fire calm on its own.”
Nightmare Eclipse also expressed anticipation that “they will definitely boil the blood in my veins.” After a short break, the researcher sprang back into action, releasing a BitLocker bypass (“GreatXML”) exploit, now followed by the LegacyHive.
Still, it appears that the researcher might be looking for a way out, hoping their “brain power” could be used for good.
“Dropping zero-days is truly agonizing. The only thing it got me is attention, and I don’t like it,” one of the recent blog posts reads.