By rssfeeds-admin 
Vulnerability Overview
The security researcher known as oxfemale (@bytecodevm) has published a working PoC exploit on GitHub for CVE-2026-20817, a flaw patched by Microsoft in the January 2026 Patch Tuesday security update.
The vulnerability resides in wersvc.dll, the core DLL of the Windows Error Reporting service, which runs under the NT AUTHORITYSYSTEM context and handles crash reports via Advanced Local Procedure Call (ALPC) ports.
Classified under CWE-280 (Improper Handling of Insufficient Permissions or Privileges), the flaw carries a CVSS v3.1 base score of 7.8, reflecting high impact on confidentiality, integrity, and availability.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2026-20817 |
| Severity | High |
| CVSS Score | 7.8 (CVSS v3.1) |
The WER service exposes an ALPC port named WindowsErrorReportingService and provides several methods for interprocess communication.
The vulnerability exists in the SvcElevatedLaunch method (0x0D), where the service fails to validate the caller’s privileges before launching WerFault.exe with user-supplied command line parameters from shared memory.
The exploitation chain follows these steps:
- The attacker creates shared memory containing an arbitrary command line (up to 520 bytes).
- A connection is established to the WER ALPC port.
- An ALPC message is sent with method 0x0D, including the client process ID, shared memory handle, and command line length.
- The WER service duplicates the handle and calls
ElevatedProcessStart, which read the attacker-supplied command line from shared memory. UserTokenUtility::GetProcessTokenretrieves the WER service’s SYSTEM token and strips onlySeTcbPrivilegeviaCreateRestrictedToken.CreateElevatedProcessAsUserlaunches the resulting process with SYSTEM privileges and attacker-controlled arguments.
The spawned process retains powerful privileges, including SeDebugPrivilege (debug any process) and SeImpersonatePrivilege (impersonate any user), enabling credential theft, persistence, or full system takeover.
The vulnerability affects unpatched versions of the following operating systems:
- Windows 10 (all versions before January 2026 update)
- Windows 11 (all versions before January 2026 update)
- Windows Server 2019 (pre-January 2026 patch)
- Windows Server 2022 (pre-January 2026 patch)
PoC demonstrations have confirmed successful exploitation on Windows 11 23H2, where a standard user was able to spawn a SYSTEM-level process via the WER ALPC port.
Detection and Indicators of Compromise
Security teams should monitor for the following indicators:
| Indicator | Event/Source | Recommended Action |
|---|---|---|
| Unusual WerFault.exe or WerMgr.exe spawn with odd command lines | Security Event ID 4688 | Alert and investigate |
| SYSTEM tokens missing SeTcbPrivilege but retaining other elevated privileges | Sysmon Event ID 10 | Investigate immediately |
| Unexpected WER-related arguments or child processes from low-privilege users | Process audit logs | Block and escalate |
| File system changes in WER directories | File integrity monitoring | Review and correlate |
Organizations should apply the January 2026 security patches via Windows Update immediately. If immediate patching is not feasible, the WER service can be temporarily disabled as a workaround:
sc config WerSvc start=disabled
sc stop WerSvcAdditional hardening measures include restricting local logon rights to critical systems, implementing application whitelisting policies, monitoring privilege escalation patterns using Sysmon and enhanced process auditing, and validating SYSTEM token integrity across endpoints.
While no confirmed in-the-wild exploitation has been reported, the public availability of a functional PoC significantly increases the risk of active exploitation.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post PoC Exploit Released for Microsoft Windows Error Reporting ALPC Privilege Escalation appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.