LegacyHive Windows zero-day lets attackers load another users registry hive

LegacyHive Windows zero-day vulnerability allows attackers to load another users registry hive

CSBadmin
1 Min Read

A newly disclosed zero-day vulnerability in the Windows registry subsystem, dubbed LegacyHive, allows attackers with limited user privileges to load and read another users registry hive, potentially exposing sensitive credentials and configuration data stored per-user.

The flaw resides in how the Windows registry service handles legacy hive loading operations. Security researchers found that the vulnerability enables a standard user to call registry APIs that should be restricted to administrative accounts, effectively bypassing access controls designed to isolate user registry data from other users on the same system.

While Microsoft has been notified, there is currently no patch available. Researchers warn that the vulnerability can be exploited to extract credential material stored in the SAM and SECURITY hives, profile data from NTUSER.DAT files, and application secrets maintained per-user. Enterprise environments with shared workstations, terminal servers, or virtual desktop infrastructure face the highest risk, as lateral movement between user sessions becomes trivial.

Security teams are advised to monitor for unusual registry access patterns, restrict local administrator rights where possible, and apply the principle of least privilege. The vulnerability is under active investigation by the Microsoft Security Response Center but has not yet been assigned a CVE identifier.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.