Critical ‘RegPwn’ Vulnerability Lets Attackers Gain SYSTEM Access on Windows

Researchers from MDSec have disclosed a newly patched Windows elevation-of-privilege vulnerability dubbed “RegPwn,” which allowed attackers to escalate from a low-privileged user to full SYSTEM access.

The flaw, tracked as CVE-2026-24291, stems from how Windows manages registry configurations tied to its built-in Accessibility features.

Vulnerability Overview

Windows Accessibility tools such as Narrator and the On-Screen Keyboard are designed to run within the user’s session while maintaining high integrity permissions.

To support their operation, Windows stores configuration data in specific registry keys. However, researchers identified a flaw in how these registry values are handled when transitioning between user and SYSTEM contexts.

During login, Windows grants users write access to certain accessibility-related registry keys within the Local Machine hive.

While this behavior is intended for usability, it introduces risk when combined with how the operating system later processes these configurations under elevated privileges.

The vulnerability is triggered when Windows switches to the Secure Desktop environment, an isolated mode used during sensitive operations such as workstation locks or User Account Control (UAC) prompts.

In this state, a process called atbroker.exe is launched twice: one instance under the user’s context and another under the SYSTEM account.

These processes copy accessibility configuration data from user-controlled registry locations into protected SYSTEM registry keys.

Because the source registry path is writable by the user, attackers can manipulate the data before it is copied.

By abusing registry symbolic links, an attacker can redirect the SYSTEM process to write controlled data into arbitrary registry locations.

For example, the attacker could overwrite the ImagePath of a critical service like the Windows Installer, enabling execution of malicious code with SYSTEM privileges.

Successful exploitation requires precise timing. The attack must occur within a narrow window during the registry copy operation.

MDSec researchers achieved this by placing opportunistic locks on XML files associated with accessibility features.

These locks delay legitimate system operations, giving attackers enough time to replace registry keys with symbolic links targeting sensitive locations.

This race-condition-style technique significantly increases the reliability of exploitation despite the short execution window.

RegPwn poses a serious security risk because it allows complete system compromise from a low-privileged foothold.

MDSec reported using the vulnerability in red team engagements as early as January 2025, demonstrating its practical impact in real-world scenarios.

Microsoft addressed CVE-2026-24291 in the March 2026 Patch Tuesday updates for Windows 10, Windows 11, and Windows Server.

However, the public release of proof-of-concept exploit code on GitHub raises the likelihood of active exploitation.

Organizations are strongly advised to apply the latest security updates immediately and monitor for suspicious registry modifications or abnormal SYSTEM-level process behavior as part of their detection strategy.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Critical ‘RegPwn’ Vulnerability Lets Attackers Gain SYSTEM Access on Windows appeared first on Cyber Security News.