Windows Error Reporting Flaw (CVE-2026-20817) Enables Local Privilege Escalation to SYSTEM
A critical vulnerability in Windows Error Reporting (WER), tracked as CVE-2026-20817, was patched in January 2026 after allowing local attackers to escalate privileges to SYSTEM the highest level of access on Windows systems. The flaw, rated 7.8 (High) on the CVSS v3.1 scale, impacts confidentiality, integrity, and availability by exploiting insufficient permission checks in the WER service (wersvc.dll).
Vulnerability Mechanics
The WER service, which runs as NT AUTHORITY\SYSTEM, processes crash reports via Advanced Local Procedure Call (ALPC) ports. The flaw (classified as CWE-280: Improper Handling of Insufficient Permissions) arises when the service fails to validate process creation requests from low-privilege users. Attackers can send crafted messages to spawn WerFault.exe or WerMgr.exe with a near-SYSTEM token, controlling the command line (up to 520 bytes) to execute arbitrary code.
The attack chain begins with CWerService::SvcElevatedLaunch, which opens the sender’s process without privilege verification. It then retrieves attacker-supplied command lines from shared memory via ElevatedProcessStart and obtains the WER service’s SYSTEM token through UserTokenUtility::GetProcessToken. While the token is stripped of SeTcbPrivilege, it retains other high-privilege attributes, allowing the creation of a SYSTEM-level process with attacker-controlled arguments via CreateElevatedProcessAsUser.
Exploitation & Impact
Exploitation requires only standard user access and no user interaction, making it ideal for post-compromise privilege escalation. Proof-of-concept (PoC) demonstrations on Windows 11 23H2 confirm that attackers can:
- Connect to WER’s ALPC port.
- Send malicious messages to spawn SYSTEM processes with privileges like
SeDebugPrivilege. - Enable credential theft, persistence, or full system takeover when chained with other vulnerabilities.
While no in-the-wild exploits have been confirmed, defenders are advised to monitor for:
- Unusual
WerFault.exeorWerMgr.exeprocesses (Event ID 4688) with suspicious command lines. - SYSTEM tokens lacking
SeTcbPrivilegebut retaining other privileges (Sysmon Event ID 10). - Modifications to WER directories or abnormal child processes from low-privilege users.
Mitigation & Patch
Microsoft’s patch introduces a feature flag in SvcElevatedLaunch to reject unauthorized requests, effectively disabling the vulnerable function. Organizations should:
- Apply the January 2026 Windows Update immediately.
- If patching is delayed, disable the WER service via:
sc config WerSvc start=disabled sc stop WerSvc - Limit local logons, enforce application whitelisting, and monitor for privilege escalation attempts using BAS (Breach and Attack Simulation) tools.
The flaw underscores the risks of unrestricted process creation in privileged services, particularly when handling user-supplied input.
Source: https://cyberpress.org/windows-error-reporting-vulnerability/
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1770731828",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'All users of Windows 11 23H2 '
'and potentially other versions',
'industry': 'Technology',
'location': 'Global',
'name': 'Microsoft Windows',
'type': 'Operating System'}],
'attack_vector': 'Local',
'date_publicly_disclosed': '2026-01',
'date_resolved': '2026-01',
'description': 'A critical vulnerability in Windows Error Reporting (WER), '
'tracked as CVE-2026-20817, was patched in January 2026 after '
'allowing local attackers to escalate privileges to SYSTEM, '
'the highest level of access on Windows systems. The flaw, '
'rated 7.8 (High) on the CVSS v3.1 scale, impacts '
'confidentiality, integrity, and availability by exploiting '
'insufficient permission checks in the WER service '
'(wersvc.dll). The vulnerability arises when the service fails '
'to validate process creation requests from low-privilege '
'users, enabling attackers to execute arbitrary code with '
'SYSTEM privileges.',
'impact': {'identity_theft_risk': 'High (if chained with other '
'vulnerabilities)',
'operational_impact': 'Full system takeover, credential theft, '
'persistence',
'systems_affected': 'Windows 11 23H2, Windows Error Reporting '
'Service (wersvc.dll)'},
'investigation_status': 'Patched',
'lessons_learned': 'The flaw underscores the risks of unrestricted process '
'creation in privileged services, particularly when '
'handling user-supplied input.',
'post_incident_analysis': {'corrective_actions': 'Introduced a feature flag '
'in SvcElevatedLaunch to '
'reject unauthorized '
'requests',
'root_causes': 'Insufficient permission checks in '
'the WER service (wersvc.dll), '
'allowing low-privilege users to '
'spawn SYSTEM processes with '
'attacker-controlled command lines'},
'recommendations': ['Apply the January 2026 Windows Update immediately',
'Disable the WER service if patching is delayed',
'Limit local logons and enforce application whitelisting',
'Monitor for privilege escalation attempts using Breach '
'and Attack Simulation (BAS) tools'],
'references': [{'source': 'Microsoft Security Update'}],
'response': {'containment_measures': 'Apply January 2026 Windows Update, '
'disable WER service if patching is '
'delayed',
'enhanced_monitoring': 'Monitor for unusual '
'WerFault.exe/WerMgr.exe processes (Event '
'ID 4688), SYSTEM tokens lacking '
'SeTcbPrivilege (Sysmon Event ID 10), and '
'modifications to WER directories',
'remediation_measures': 'Patch CVE-2026-20817, enforce '
'application whitelisting, limit local '
'logons'},
'title': 'Windows Error Reporting Flaw (CVE-2026-20817) Enables Local '
'Privilege Escalation to SYSTEM',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'CVE-2026-20817 (CWE-280: Improper Handling of '
'Insufficient Permissions)'}