A Windows security flaw called LegacyHive (MSNightmare) misuses the User Profile Service. This allows local users to gain higher privileges, change admin accounts, and run code with admin rights.
The public proof‑of‑concept (PoC) from the MSNightmare GitHub account describes the bug as a “Windows user profile service arbitrary hive load elevation of privileges vulnerability.”
LegacyHive allows a low-level user to attach another user’s registry hive, especially the UsrClass.dat hive, into their own HKEY_CLASSES_ROOT, making that other user’s application data and settings appear as their own.
Security expert Will Dormann showed that if you run LegacyHive.exe using a second standard user’s login, name an administrator account, and then open regedit.exe as that second user, the non-admin gets direct access to the administrator’s Classes registry hive.
AWS
AWS customers around the world were surprised when the AWS Billing and Cost Management Console and Cost Explorer showed very high expected cloud costs.
Some groups said their monthly bills could reach trillions of dollars. This raised budget alarms and caused worries about possible unapproved AWS use.
AWS said there’s a problem on its Health Dashboard and AWS Support account on X. They noted that only the estimated billing data is wrong. The real charges and checked usage records are fine.
Multiple TP-Link Cameras Vulnerability
TP-Link has shared security fixes for two flaws in its Kasa EC70 v4 and EC71 v4 smart cameras. These issues, known as CVE-2026-9770 and CVE-2026-13230, might let someone on the same local network get private data from the affected devices.
The biggest flaw, CVE-2026-9770, is a risk that lets bad people see secret key information. It has a CVSS score of 8.6 (High). TP-Link said a secret key is built into the camera’s system.
An attacker on the local network could use this exposed key to access private messages between the camera and its web interface.
Successful exploitation could allow man-in-the-middle attacks, letting the attacker seize traffic or get admin passwords.
Fortinet FortiSandbox
CISA has put two important Fortinet FortiSandbox flaws in its Known Exploited Vulnerabilities (KEV) Catalog. They warn that attackers are using these issues in real attacks.
The flaws, called CVE-2026-39808 and CVE-2026-25089, let attackers who are not verified run commands on the operating system by sending specific HTTP requests.
Both flaws are known as OS command injection vulnerabilities (CWE-78). It happen when an application does not properly clean user input before sending it to an operating system command interpreter.
Successful attacks can let attackers run any commands on weak devices without needing valid passwords. CVE-2026-39808 directly impacts Fortinet FortiSandbox.
This weakness might let a remote attacker, who is not authenticated, run unauthorized code or commands just by sending special HTTP requests to the device.
The second weakness, CVE-2026-25089, affects more than just FortiSandbox. It also impacts FortiSandbox Cloud and FortiSandbox PaaS.
InfoSecBulletin Cybersecurity for mankind

