• Home
  • cyber
  • Microsoft: ‘RegPwn’ Windows Registry Vulnerability Enables Full System Access to Attackers
cyber Vulnerability

Microsoft: ‘RegPwn’ Windows Registry Vulnerability Enables Full System Access to Attackers

Jan 1, 2025 2 min read
Microsoft: ‘RegPwn’ Windows Registry Vulnerability Enables Full System Access to Attackers

High-Severity Windows "RegPwn" Vulnerability Exploits Accessibility Features for Privilege Escalation

A critical Windows elevation-of-privilege vulnerability, tracked as CVE-2026-24291 (RegPwn), was discovered by the MDSec red team and patched in a recent Microsoft Patch Tuesday update. The flaw allowed low-privileged users to gain full SYSTEM-level access by manipulating Windows’ built-in accessibility features.

The attack exploited how Windows handles registry keys for tools like the On-Screen Keyboard and Narrator. When launched, these features create a user-writable registry key that is later copied into the local machine (HKLM) hive during login a process running with SYSTEM privileges. By leveraging an opportunistic lock (oplock) on a system file, attackers could pause the registry copy operation and replace the target key with a symbolic link, redirecting writes to arbitrary registry locations.

In MDSec’s proof-of-concept, this technique was used to overwrite a system service’s execution path, granting immediate SYSTEM-level command access. The vulnerability was actively exploited in internal engagements since January 2025 before Microsoft issued a fix.

MDSec has released the RegPwn exploit code on GitHub for defensive research. Organizations are urged to apply the latest Windows updates to mitigate this local privilege escalation risk.

Source: https://cybersecuritynews.com/regpwn-windows-registry-vulnerability/

Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center

"id": "MIC1773822231",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'All Windows users prior to '
                                              'patch',
                        'industry': 'Technology',
                        'location': 'Global',
                        'name': 'Microsoft Windows',
                        'type': 'Operating System'}],
 'attack_vector': 'Local',
 'customer_advisories': 'Organizations are urged to apply the latest Windows '
                        'updates to mitigate this local privilege escalation '
                        'risk.',
 'date_detected': '2025-01-01',
 'description': 'A critical Windows elevation-of-privilege vulnerability, '
                'tracked as CVE-2026-24291 (RegPwn), was discovered by the '
                'MDSec red team and patched in a recent Microsoft Patch '
                'Tuesday update. The flaw allowed low-privileged users to gain '
                'full SYSTEM-level access by manipulating Windows’ built-in '
                'accessibility features. The attack exploited how Windows '
                'handles registry keys for tools like the On-Screen Keyboard '
                'and Narrator, enabling attackers to redirect registry writes '
                'to arbitrary locations via symbolic links, ultimately '
                'overwriting system service execution paths.',
 'impact': {'operational_impact': 'Potential full SYSTEM-level access for '
                                  'low-privileged users',
            'systems_affected': 'Windows systems with accessibility features '
                                'enabled'},
 'investigation_status': 'Patched',
 'lessons_learned': 'Importance of securing registry operations and '
                    'accessibility features in Windows; need for timely '
                    'patching of privilege escalation vulnerabilities.',
 'motivation': 'Research/Defensive Testing',
 'post_incident_analysis': {'corrective_actions': 'Microsoft patched the '
                                                  'vulnerability to prevent '
                                                  'registry manipulation via '
                                                  'symbolic links in '
                                                  'accessibility features.',
                            'root_causes': 'Insecure handling of registry keys '
                                           'during accessibility feature '
                                           'initialization, allowing symbolic '
                                           'link redirection to SYSTEM-level '
                                           'registry locations.'},
 'recommendations': 'Apply the latest Windows updates immediately. Monitor for '
                    'unusual registry modifications or symbolic link creation. '
                    'Restrict access to accessibility features where '
                    'unnecessary.',
 'references': [{'source': 'MDSec', 'url': 'https://github.com/MDSec/RegPwn'}],
 'response': {'containment_measures': 'Microsoft Patch Tuesday update',
              'remediation_measures': 'Apply latest Windows updates'},
 'threat_actor': 'MDSec red team (proof-of-concept)',
 'title': "High-Severity Windows 'RegPwn' Vulnerability Exploits Accessibility "
          'Features for Privilege Escalation',
 'type': 'Privilege Escalation',
 'vulnerability_exploited': 'CVE-2026-24291 (RegPwn)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.