MDSec researchers have detailed a critical Elevation of Privilege (EoP) vulnerability dubbed "RegPwn" (CVE-2026-24291), affecting multiple versions of Windows and Windows Server. The vulnerability stems from how Windows Accessibility features manage registry configurations across different integrity levels. Specifically, the processes atbroker.exe and osk.exe copy configuration data from user-controllable registry keys to SYSTEM-controlled keys, creating a logic flaw that can be exploited by low-privileged users.
By utilizing registry symbolic links combined with opportunistic locks (oplocks) on system files like oskmenu.xml, an attacker can redirect registry write operations to arbitrary locations. This allows for the modification of sensitive system configurations, such as service image paths. MDSec demonstrated this by overwriting the msiserver service configuration to achieve full SYSTEM privileges, providing a proof-of-concept exploit to aid in defensive research.
Top comments (0)