By rssfeeds-admin 
Vulnerability Basics
CVE-2026-20817 affects wersvc.dll in the WER service, which runs as NT AUTHORITYSYSTEM and handles crash reports via ALPC ports.
The issue, classified as CWE-280, stems from no permission checks on process creation requests from low-privilege users.
Attackers send crafted messages to spawn WerFault.exe or WerMgr.exe with a near-SYSTEM token, controlling the command line up to 520 bytes.
This local attack needs only standard user access, no interaction, making it ideal for post-compromise escalation.
The chain starts at CWerService::SvcElevatedLaunch, which opens the sender’s process without verifying privileges.
It calls ElevatedProcessStart to pull attacker-supplied command lines from shared memory, then UserTokenUtility::GetProcessToken.
Key step: GetProcessToken grabs the WER’s SYSTEM token, strips only SeTcbPrivilege via CreateRestrictedToken, and ignores the user’s token if unsuitable.
Finally, CreateElevatedProcessAsUser launches the process with this powerful token and attacker args.
Microsoft’s patch adds a feature flag in SvcElevatedLaunch to reject requests outright, disabling the exposed function.
Proof-of-concept demos on Windows 11 23H2 show standard users connecting to WER’s ALPC port, sending messages, and spawning SYSTEM processes with privileges like SeDebugPrivilege.
This enables credential theft, persistence, or full takeover when chained with other flaws. No wild exploits are confirmed yet.
Watch for WerFault.exe or WerMgr.exe with odd command lines or child processes from low-priv users (Event ID 4688).
Check for abnormal tokens lacking SeTcbPrivilege but holding others, plus WER directory changes.
Tools like Sysmon (Event ID 10) spot token tweaks; baselines help flag anomalies.
| Indicator | Event/Source | Action |
|---|---|---|
| Unusual WerFault.exe spawn | Security 4688 | Alert |
| SYSTEM token sans SeTcb | Sysmon 10 | Investigate |
| Weird WER args | Process audit | Block |
Apply January 2026 patches via Windows Update immediately. If delayed, disable WerSvc: sc config WerSvc start=disabled; sc stop WerSvc.
Limit local logons, use app whitelisting, and monitor escalations. Test defenses with BAS tools simulating this attack.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Windows Error Reporting Vulnerability Allows Attackers to Elevate Privileges appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.