HeadlinesBriefing favicon HeadlinesBriefing.com

Windows 0-day Exploit Targets Admin Privileges

Ars Technica •
×

A newly discovered Windows 0-day vulnerability, dubbed HiveLegacy, allows non-administrator users to gain administrator privileges by modifying the registry hive of an administrator account. Will Dormann, a senior principal vulnerability analyst at Tharros Labs, explained that this "powerful primitive" enables attackers to run their code when an admin logs in, effectively granting them de facto administrator control without needing direct admin access themselves.

The exploit leverages how Windows loads a user's class hive when they log in; since the user isn't logged in yet, it's loaded in the context of NT AUTHORITY\SYSTEM. HiveLegacy abuses this process. Microsoft has stated it is aware of the report and investigating, while also noting its preference for coordinated disclosure.

Independent researcher Kevin Beaumont has published a detection script for users seeking immediate protection. Further defenses include restricting local non-user account creation, monitoring Prof Svc for unexpected hive loads, and tracking NTUSER.DAT/Usr Class.dat activity. This exploit emerged on the same day Microsoft released a record number of patches.