The security researcher known as oxfemale (@bytecodevm) has published a working PoC exploit on GitHub for CVE-2026-20817, a flaw patched by Microsoft in the January 2026 Patch Tuesday security update.
The vulnerability resides in wersvc.dll, the core DLL of the Windows Error Reporting service, which runs under the NT AUTHORITYSYSTEM context and handles crash reports via Advanced Local Procedure Call (ALPC) ports.
Classified under CWE-280 (Improper Handling of Insufficient Permissions or Privileges), the flaw carries a CVSS v3.1 base score of 7.8, reflecting high impact on confidentiality, integrity, and availability.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2026-20817 |
| Severity | High |
| CVSS Score | 7.8 (CVSS v3.1) |
The WER service exposes an ALPC port named WindowsErrorReportingService and provides several methods for interprocess communication.
The vulnerability exists in the SvcElevatedLaunch method (0x0D), where the service fails to validate the caller’s privileges before launching WerFault.exe with user-supplied command line parameters from shared memory.
The exploitation chain follows these steps:
ElevatedProcessStart, which read the attacker-supplied command line from shared memory.UserTokenUtility::GetProcessToken retrieves the WER service’s SYSTEM token and strips only SeTcbPrivilege via CreateRestrictedToken.CreateElevatedProcessAsUser launches the resulting process with SYSTEM privileges and attacker-controlled arguments.The spawned process retains powerful privileges, including SeDebugPrivilege (debug any process) and SeImpersonatePrivilege (impersonate any user), enabling credential theft, persistence, or full system takeover.
The vulnerability affects unpatched versions of the following operating systems:
PoC demonstrations have confirmed successful exploitation on Windows 11 23H2, where a standard user was able to spawn a SYSTEM-level process via the WER ALPC port.
Security teams should monitor for the following indicators:
| Indicator | Event/Source | Recommended Action |
|---|---|---|
| Unusual WerFault.exe or WerMgr.exe spawn with odd command lines | Security Event ID 4688 | Alert and investigate |
| SYSTEM tokens missing SeTcbPrivilege but retaining other elevated privileges | Sysmon Event ID 10 | Investigate immediately |
| Unexpected WER-related arguments or child processes from low-privilege users | Process audit logs | Block and escalate |
| File system changes in WER directories | File integrity monitoring | Review and correlate |
Organizations should apply the January 2026 security patches via Windows Update immediately. If immediate patching is not feasible, the WER service can be temporarily disabled as a workaround:
sc config WerSvc start=disabled
sc stop WerSvcAdditional hardening measures include restricting local logon rights to critical systems, implementing application whitelisting policies, monitoring privilege escalation patterns using Sysmon and enhanced process auditing, and validating SYSTEM token integrity across endpoints.
While no confirmed in-the-wild exploitation has been reported, the public availability of a functional PoC significantly increases the risk of active exploitation.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post PoC Exploit Released for Microsoft Windows Error Reporting ALPC Privilege Escalation appeared first on Cyber Security News.
BROWNWOOD, Texas (KTAB/KRBC) – While exploring the trails and tales of Lake Brownwood State Park,…
‘Live Search’ can describe what your cameras see, not just what they’ve seen. | Image:…
Is Warhammer 40,000: Space Marine 2 a live service game? It’s not normally referred to…
The directors behind The Mummy 4 have revealed their thoughts on whether the franchise's divisive…
March 2, 2026 Sioux Falls-area 20-somethings are making a mark early in their careers, both…
March 2, 2026 The first city approvals for Smithfield Foods’ new processing plant are scheduled…
This website uses cookies.