Windows Vulnerability - RegPwn Enables Full System Access
Basically, a flaw in Windows lets users gain full control of the system.
A high-severity Windows vulnerability, RegPwn, allows low-privileged users to gain full SYSTEM access. This flaw poses significant risks, making it crucial for users to apply the latest patches. Stay informed and secure your systems against this exploit.
The Flaw
The newly discovered Windows vulnerability, dubbed RegPwn (CVE-2026-24291), is an elevation-of-privilege flaw that permits low-privileged users to gain full SYSTEM access. Discovered by the MDSec red team, this vulnerability has been in use since January 2025 during their internal engagements. It was recently patched in a Microsoft security update. The attack exploits the way Windows manages accessibility features, allowing attackers to manipulate system settings.
When a user activates tools like the On-Screen Keyboard, Windows creates a registry key to store configurations. This key inadvertently grants full control to the logged-in user. The flaw becomes evident when these user-controlled settings interact with the Windows Secure Desktop, which is meant to safeguard sensitive operations like prompting for administrator credentials. This misconfiguration creates a dangerous pathway for exploitation.
What's at Risk
The vulnerability allows attackers to execute arbitrary commands with SYSTEM privileges. By modifying their user-level accessibility registry key, an attacker can insert an opportunistic lock (oplock) on a system file. When the user locks their workstation, the system momentarily pauses, providing the attacker a narrow window to exploit the flaw. This can lead to unauthorized access to sensitive areas of the Windows registry, allowing for significant control over the system.
In MDSec's proof-of-concept, they demonstrated how to overwrite the execution path of a system service, effectively granting them a SYSTEM-level command prompt. This level of access can lead to further exploitation, including the installation of malware or data exfiltration.
Patch Status
Microsoft has addressed CVE-2026-24291 as part of its regular Patch Tuesday updates. System administrators are strongly encouraged to apply the latest updates to mitigate this local privilege escalation vulnerability. The patch aims to close the loophole that allows low-privileged users to gain unauthorized access to SYSTEM-level functionalities. It is crucial for organizations to stay vigilant and ensure their systems are up-to-date.
For those interested in understanding the exploit, MDSec has made the RegPwn exploit code publicly available on GitHub. This move allows security researchers to study the vulnerability and its implications further, contributing to the overall cybersecurity knowledge base.
Immediate Actions
To protect your systems from this vulnerability, it is imperative to:
- Apply the latest Windows updates immediately to close the exploit.
- Monitor user access to ensure no unauthorized changes are made to system settings.
- Educate users about the risks associated with enabling accessibility features, as these can be manipulated by attackers.
By taking these steps, organizations can significantly reduce their risk exposure and safeguard their systems against potential exploitation of the RegPwn vulnerability.
Cyber Security News