A significant Windows vulnerability, identified as “RegPwn” (CVE-2026-24291), has emerged, posing a serious risk by enabling low-privileged users to elevate their access to full SYSTEM privileges. This flaw, discovered by the MDSec red team, has been in use during internal engagements since January 2025, prior to its resolution in a recent Microsoft Patch Tuesday update.
Understanding the Vulnerability
The RegPwn vulnerability exploits the way Windows manages its built-in accessibility features, including tools such as the On-Screen Keyboard and Narrator. These features are designed to assist users in navigating the operating system, functioning primarily within the user’s context while maintaining high-integrity access.
When a user activates an accessibility tool, Windows generates a specific registry key to store its configuration. Crucially, this registry key permits full control to low-privileged users. During the login process, these configurations are copied into the local machine registry hive by a system process. However, the local machine registry key remains writable by the logged-in user, creating a precarious opportunity for manipulation.
The vulnerability becomes particularly concerning when user-controlled settings interact with the Windows Secure Desktop environment, which is an isolated space utilized for sensitive tasks such as locking the workstation or requesting administrator credentials. By design, only trusted processes operating with SYSTEM privileges are permitted to execute within this secure environment.
When a user initiates a secure state, the system launches processes that manage accessibility settings, functioning as both the standard user and the SYSTEM account. An attacker can exploit this behavior by modifying their user-level accessibility registry key and inserting an opportunistic lock (oplock) on a specific system file. As the user locks their workstation, the system attempts to transfer the altered accessibility configurations into the local machine registry.
This momentary pause, induced by the oplock, provides the attacker with a narrow window to act. During this brief interval, the attacker can replace the local machine registry key with a symbolic link pointing to an arbitrary system registry key. Since the process copying the data operates under SYSTEM privileges, the attacker successfully writes arbitrary values to highly restricted areas of the Windows registry.
In a proof-of-concept demonstration by MDSec, this technique was employed to overwrite the execution path of a system service, thereby granting immediate access to a SYSTEM-level command prompt.
Microsoft has addressed CVE-2026-24291 through its routine security updates. System administrators are strongly encouraged to implement the latest Windows updates to safeguard their environments against this local privilege escalation vulnerability.
For those in the cybersecurity field, MDSec has made the RegPwn exploit code publicly accessible on GitHub for further study, providing an invaluable resource for defensive researchers and security teams.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
