New Windows Zero-Day PoC Released After Microsoft Patch Tuesday, SharePoint Flaws Under Attack

microsoft patch tuesday windows

Microsoft’s July 2026 Patch Tuesday has once again placed Windows and SharePoint security in the spotlight. Just hours after Microsoft released security updates, security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, published a new proof-of-concept (PoC) exploit named LegacyHive, raising fresh concerns about Windows privilege escalation vulnerabilities.

The disclosure comes amid ongoing tensions between Microsoft and independent security researchers, while organizations are also rushing to patch several actively exploited SharePoint Server vulnerabilities that could allow attackers to gain unauthorized access and execute malicious actions.

The newly released LegacyHive proof-of-concept demonstrates a potential elevation-of-privilege issue involving the Windows User Profile Service (ProfSvc). This Windows component is responsible for managing user accounts, user profiles, and login environments across desktop and server systems.

According to Chaotic Eclipse, the PoC requires another standard user account credential and a third username, which can even belong to an administrator account. If the exploit succeeds, it mounts the target user’s registry hive within the current user’s environment.

The researcher explained that the public version of the exploit was intentionally limited to reduce the risk of immediate abuse. The original exploit reportedly did not require additional user credentials and was capable of loading registry hives beyond the usrclass.dat file.

Despite these restrictions, the release has attracted significant attention because the exploit reportedly works on all supported Windows desktop and server versions, including systems that have already installed the latest July 2026 Patch Tuesday updates.

This suggests that the issue may not currently be addressed by Microsoft’s latest security patches, making it a concern for security teams monitoring emerging Windows threats.

The release of LegacyHive is the latest chapter in an ongoing dispute between Chaotic Eclipse and Microsoft.

Since at least April 2026, the researcher has publicly disclosed multiple vulnerabilities before Microsoft released fixes. According to the researcher, communication problems and delays in the vulnerability disclosure process contributed to the decision to publish exploit details.

Several previously disclosed Microsoft Defender vulnerabilities became actively exploited shortly after their public release, increasing pressure on Microsoft to accelerate patch development and deployment.

Earlier in July, Microsoft released fixes for another Defender-related vulnerability known as RoguePlanet, which had also been disclosed by Chaotic Eclipse. However, reports later emerged that Microsoft’s mitigation introduced an unintended issue that could leak eight bytes of data when Microsoft Defender attempts to open certain files under specific conditions.

Microsoft has acknowledged the report and stated that it is investigating the matter. The company has not yet provided detailed public comments regarding the newly disclosed LegacyHive exploit.

Alongside concerns about LegacyHive, Microsoft’s July 2026 Patch Tuesday addressed a record-breaking 622 security vulnerabilities across its products and services.

Among the most significant fixes were two privilege escalation vulnerabilities affecting:

  • Active Directory Federation Services (AD FS) – CVE-2026-56155 (CVSS 7.8)
  • Microsoft SharePoint Server – CVE-2026-56164 (CVSS 5.3)

Both vulnerabilities have been identified as actively exploited in real-world attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both flaws to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting the urgency of patching affected systems.

Federal agencies have been directed to remediate these vulnerabilities by specific deadlines in July 2026 to reduce exposure to cyberattacks.

zero day

Security experts are particularly concerned about the growing number of attacks targeting Microsoft SharePoint Server.

According to CISA, threat actors are actively exploiting multiple SharePoint vulnerabilities, including:

  • CVE-2026-32201
  • CVE-2026-45659
  • CVE-2026-56164

These vulnerabilities impact all supported on-premises SharePoint Server versions, including:

  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Server 2016

Attackers can leverage these flaws to perform remote code execution (RCE) and conduct post-exploitation activities. These activities may include stealing Internet Information Services (IIS) machine keys, abusing deserialization techniques, establishing persistence, and deploying malware across compromised environments.

Security researchers warn that organizations operating internet-facing SharePoint servers face the highest risk because many of these attacks can be launched remotely.

Experts have identified CVE-2026-56164 as particularly dangerous because it stems from missing authentication controls within a critical SharePoint function.

According to security researchers, attackers can send specially crafted network requests to access functionality that should normally require authentication. This can result in privilege escalation and allow unauthorized actions without requiring valid credentials or user interaction.

Because the vulnerability can be exploited remotely, internet-facing SharePoint environments remain especially vulnerable if patches have not been applied.

For organizations relying on SharePoint for document management, collaboration, and business operations, immediate patching is strongly recommended.

Microsoft’s July 2026 security updates also addressed another high-severity SharePoint vulnerability, CVE-2026-55040, which received a critical CVSS score of 9.1.

The flaw allows a remote, unauthenticated attacker to bypass authentication mechanisms and potentially perform actions as a SharePoint user or administrator.

Security researchers found that the issue originates from weaknesses in the JWT token validation process. By exploiting these validation flaws, attackers can impersonate users and gain unauthorized access to SharePoint resources.

Even more concerning, successful exploitation can be chained with other authenticated vulnerabilities to achieve deeper access and broader compromise of SharePoint environments.

The combination of the newly disclosed LegacyHive PoC, actively exploited SharePoint vulnerabilities, and a record number of Microsoft security fixes highlights the increasing complexity of enterprise cybersecurity in 2026.

Organizations should prioritize the following actions:

  • Apply all July 2026 Microsoft security updates immediately.
  • Patch SharePoint Server installations without delay.
  • Review internet-facing SharePoint environments for signs of compromise.
  • Monitor systems for unusual privilege escalation activity.
  • Implement continuous vulnerability management and threat detection.
  • Stay informed about Microsoft’s response to the LegacyHive disclosure.

As attackers continue to move quickly after public vulnerability disclosures, timely patching and proactive monitoring remain essential defenses against emerging Windows and SharePoint security threats.

Follow us on Twitter and Linkedin for real time updates and exclusive content.

Scroll to Top