Chaotic Eclipse Releases LegacyHive Windows Zero-Day PoC After Microsoft Patches 570 Flaws
Image: Una Al Día

Chaotic Eclipse Releases LegacyHive Windows Zero-Day PoC After Microsoft Patches 570 Flaws

09 July, 2026.Technology and Science.18 sources

The story in 15 seconds

  • LegacyHive PoC for RoguePlanet Defender zero-day released.
  • RoguePlanet Defender zero-day patched by Microsoft.
  • Exploit PoC appeared hours after Patch Tuesday.

The divide · 1 of 4

Tech Buzz and GIGAZINE heavily steer focus toward worst-case impact, not system details.

Who skipped what

How each outlet frames it

Every outlet we compared, the headline it ran, and a link to the original article.

Source Diversity
18 sources
Other
10
Local Western
3
Western Mainstream
3
Asian
1
Western Alternative
1

Local Western

01net
01net

Windows cyberattacks: a flaw turns Defender antivirus into a weapon for hackers.

09 July, 2026

Read the original →
Korben
Korben

BlueHammer - The Windows zero-day unleashed by an angry researcher

09 July, 2026

Read the original →
next.ink
next.ink

Patch Tuesday: Microsoft fixes 165 security vulnerabilities

09 July, 2026

Read the original →

Western Mainstream

Ars Technica
Ars Technica

Patch for Windows Defender 0-day could allow attackers to fill hard disk

09 July, 2026

Read the original →
Ars Technica
Ars Technica

Windows 0-day drops the same day Microsoft releases record number of patches

15 July, 2026

Read the original →
The Hacker News
The Hacker News

Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesday

15 July, 2026

Read the original →

Other

BleepingComputer
BleepingComputer

Microsoft patches RoguePlanet Defender zero-day vulnerability

09 July, 2026

Read the original →
Dark Reading
Dark Reading

Microsoft Reins in RoguePlanet Zero-Day Threat

09 July, 2026

Read the original →
Le Monde Informatique
Le Monde Informatique

Microsoft corrige 165 failles en avril dont une zero day

09 July, 2026

Read the original →
LinkedIn
LinkedIn

Microsoft Releases Fix For Critical Defender Zero-Day Flaw

09 July, 2026

Read the original →
SC Media
SC Media

Microsoft releases patch for Defender zero-day vulnerability RoguePlanet

09 July, 2026

Read the original →
Security Boulevard
Security Boulevard

Microsoft fixes RoguePlanet zero-day in Defender

09 July, 2026

Read the original →
Tech Times
Tech Times

Defender Zero-Day Patched 29 Days After Public Exploit Exposed Millions of PCs

09 July, 2026

Read the original →
The Register
The Register

Microsoft closes book on Nightmare Eclipse's RoguePlanet zero-day

09 July, 2026

Read the original →
The Register
The Register

LegacyHive: 'Bone-shattering' zero-day from Microsoft's serial tormentor not the haymaker that was promised

15 July, 2026

Read the original →
Una Al Día
Una Al Día

Active exploitation of Windows vulnerabilities enables privilege escalation and affects Defender.

09 July, 2026

Read the original →

Asian

GIGAZINE
GIGAZINE

A new Microsoft Defender update could allow hackers to completely exhaust the disk space on Windows 11 PCs.

15 July, 2026

Read the original →

Western Alternative

The Tech Buzz
The Tech Buzz

Microsoft patches record 570 security flaws, two under attack

15 July, 2026

Read the original →

Full story

Patch Tuesday, then PoC

Microsoft’s July 2026 Patch Tuesday release patched 570 vulnerabilities across Windows and related products, including two zero-day flaws already being exploited in the wild and 61 rated critical, according to The Tech Buzz.

The Hacker News reported that security researcher Chaotic Eclipse (aka Nightmare-Eclipse) released a new proof-of-concept exploit called LegacyHive hours after that Patch Tuesday, describing it as a "Windows User Profile Service arbitrary hive load elevation of privileges vulnerability."

Image from 01net
01net01net

Ars Technica said the exploit code enables low-privilege Windows accounts to make sensitive changes to administrator accounts, and it described the HiveLegacy proof-of-concept as "pretty powerful primitive" elevation-of-privilege targeting the Windows User Profile Service.

The Hacker News added that LegacyHive is functional on all supported desktop and server versions of Windows, including those running the latest July 2026 Patch Tuesday update, and it said the researcher and Microsoft have been locked in a heated dispute since at least April 2026.

Dispute, Defender, and KEV

The Hacker News said Chaotic Eclipse and Microsoft have been locked in a heated dispute since at least April 2026, with the researcher releasing details of multiple exploits before Microsoft could patch them, citing a breakdown in communication.

It also reported that three vulnerabilities in Microsoft Defender came under active exploitation shortly after public disclosure, and it quoted Microsoft saying, "We have contacted the company for comment regarding LegacyHive, and we will update the story if we hear back."

Image from Ars Technica
Ars TechnicaArs Technica

Ars Technica said the pseudonymous NightmareEclypse has published nine such exploits, including Tuesday’s HiveLegacy, and it described the exploit as modifying an administrator account’s classes registry hive.

The Hacker News further said CISA added both SharePoint Server flaws flagged as actively exploited—CVE-2026-56164 and CVE-2026-56155—to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch agencies apply fixes by July 17 and July 28, 2026, respectively.

Disk-filling risk after RoguePlanet

GIGAZINE reported that a new Microsoft Defender update could allow hackers to completely exhaust the disk space on Windows 11 PCs, describing a vulnerability discovered in Microsoft Defender that could cause excessive device storage consumption.

Right on the heels of Microsoft releasing a record number of security patches, a researcher has published exploit code that can enable low-privilege Windows accounts to make sensitive changes to administrator accounts

Ars TechnicaArs Technica

It said the issue is related to RoguePlanet, and it quoted that Microsoft fixed RoguePlanet by updating to version 1.1.26060.3008, while Nightmare Eclipse said another problem arose after the fix.

GIGAZINE explained that Microsoft Defender’s limit on file scans and quarantines does not apply to cached alternate data streams (ADS) called Zone.Identifiers, making it technically possible to write extremely large caches to disk to Microsoft Defender.

The article added that Nightmare Eclipse’s proof-of-concept showed the behavior was reproducible on Windows 11 25H2 and Windows Server 2025, and it noted Microsoft had not publicly commented on the disk space exhaustion issue in its advisory regarding RoguePlanet (CVE-2026-50656).

The deep audit

How victims, perpetrators and terms are handled across outlets.

More on Technology and Science