Microsoft: Windows Error Reporting Service Vulnerability Let Attackers Elevate Privileges

Critical Windows Privilege Escalation Flaw Patched in January 2026

Microsoft addressed a high-severity privilege escalation vulnerability (CVE-2026-20817) in the Windows Error Reporting Service, patched in its January 2026 security updates. The flaw, rated 7.8 on the CVSS scale, allowed attackers with standard user access to gain SYSTEM-level control over affected systems.

The vulnerability stemmed from improper permission handling in the Windows Error Reporting Service (wersvc.dll), which runs with NT AUTHORITY\SYSTEM privileges. The service failed to verify requester permissions when processing process creation requests via the ALPC port, enabling attackers to craft malicious messages that exploited the flaw.

Exploitation involved the CWerService::SvcElevatedLaunch function, which bypassed authorization checks, and the UserTokenUtility::GetProcessToken function, which generated a SYSTEM-level token minus the SeTcbPrivilege retaining critical privileges like SeDebugPrivilege, SeImpersonatePrivilege, and SeBackupPrivilege. This allowed full system compromise, including credential theft.

Microsoft mitigated the issue by disabling the vulnerable functionality entirely rather than implementing permission checks, suggesting the feature was never intended for external use. The company flagged the vulnerability as "Exploitation More Likely" within 30 days, urging immediate patch deployment.

For unpatched systems, security researchers recommended monitoring for unusual WerFault.exe or WerMgr.exe processes running with SYSTEM tokens lacking SeTcbPrivilege. The flaw highlights the risks of insufficient authorization checks in privileged services.

Source: https://cybersecuritynews.com/windows-error-reporting-service-vulnerability/

Microsoft cybersecurity rating report: https://www.rankiteo.com/company/Microsoft

"id": "MIC1770731604",
"linkid": "Microsoft",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Microsoft Windows Users',
                        'type': 'Operating System'}],
 'attack_vector': 'Local',
 'customer_advisories': 'Urged immediate patch deployment for all affected '
                        'Windows systems.',
 'date_publicly_disclosed': '2026-01',
 'date_resolved': '2026-01',
 'description': 'Microsoft addressed a high-severity privilege escalation '
                'vulnerability (CVE-2026-20817) in the Windows Error Reporting '
                'Service, patched in its January 2026 security updates. The '
                'flaw allowed attackers with standard user access to gain '
                'SYSTEM-level control over affected systems due to improper '
                'permission handling in the Windows Error Reporting Service '
                '(wersvc.dll).',
 'impact': {'operational_impact': 'Full system compromise, credential theft',
            'systems_affected': 'Windows systems with unpatched Windows Error '
                                'Reporting Service'},
 'investigation_status': 'Patched',
 'lessons_learned': 'Highlights the risks of insufficient authorization checks '
                    'in privileged services.',
 'post_incident_analysis': {'corrective_actions': 'Disabling the vulnerable '
                                                  'functionality in the '
                                                  'Windows Error Reporting '
                                                  'Service.',
                            'root_causes': 'Improper permission handling in '
                                           'the Windows Error Reporting '
                                           'Service (wersvc.dll), specifically '
                                           'in the '
                                           'CWerService::SvcElevatedLaunch and '
                                           'UserTokenUtility::GetProcessToken '
                                           'functions.'},
 'recommendations': 'Immediate patch deployment, monitoring for unusual '
                    'WerFault.exe or WerMgr.exe processes with SYSTEM tokens '
                    'lacking SeTcbPrivilege.',
 'references': [{'source': 'Microsoft Security Update'}],
 'response': {'communication_strategy': 'Security update advisory, urging '
                                        'immediate patch deployment',
              'containment_measures': 'Patch deployment (disabling vulnerable '
                                      'functionality)',
              'enhanced_monitoring': 'Monitoring for unusual WerFault.exe or '
                                     'WerMgr.exe processes running with SYSTEM '
                                     'tokens lacking SeTcbPrivilege',
              'remediation_measures': 'Microsoft disabled the vulnerable '
                                      'functionality in the Windows Error '
                                      'Reporting Service'},
 'stakeholder_advisories': 'Microsoft flagged the vulnerability as '
                           "'Exploitation More Likely' within 30 days.",
 'title': 'Critical Windows Privilege Escalation Flaw (CVE-2026-20817)',
 'type': 'Privilege Escalation',
 'vulnerability_exploited': 'Improper permission handling in Windows Error '
                            'Reporting Service (wersvc.dll)'}

Microsoft: Windows Error Reporting Service Vulnerability Let Attackers Elevate Privileges – PoC Released

Organizations using Trivy GitHub Action and Aqua Security: Cyber Security News ®’s Post

Oracle: Oracle Fixes High-Severity RCE Vulnerability Affecting Identity and Web Services Platforms

Intoxalock: Cyberattack on vehicle breathalyser firm leaves drivers stranded across US