{"id":11425,"date":"2026-03-18T10:03:37","date_gmt":"2026-03-18T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/18\/regpwn-windows-registry-vulnerability-enables-full-system-access-to-attackers\/"},"modified":"2026-03-18T10:03:37","modified_gmt":"2026-03-18T10:03:37","slug":"regpwn-windows-registry-vulnerability-enables-full-system-access-to-attackers","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/18\/regpwn-windows-registry-vulnerability-enables-full-system-access-to-attackers\/","title":{"rendered":"\u2018RegPwn\u2019 Windows Registry Vulnerability Enables Full System Access to Attackers"},"content":{"rendered":"<p>    \u2018RegPwn\u2019 Windows Registry Vulnerability Enables Full System Access to Attackers<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A high-severity Windows vulnerability dubbed \u201cRegPwn\u201d <a href=\"https:\/\/cybersecuritynews.com\/microsoft-patch-tuesday-march-2026\/\" target=\"_blank\" rel=\"noreferrer noopener\">(CVE-2026-24291) is an elevation-of-privilege flaw<\/a> that allows low-privileged users to gain full SYSTEM access.<\/p>\n<p>The MDSec red team discovered the vulnerability and successfully used it in internal engagements since January 2025, before it was addressed in a recent Microsoft Patch Tuesday update.<\/p>\n<p>The attack targets the way Windows manages its built-in accessibility features, such as the On-Screen Keyboard and Narrator.<\/p>\n<p>Windows Accessibility features are designed to help users navigate the operating system, operating primarily in the user\u2019s context but with high-integrity access.<\/p>\n<p>When a user launches a tool like the On-Screen Keyboard, <a href=\"https:\/\/cybersecuritynews.com\/pulsar-rat-attacking-windows-systems\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows creates a specific registry key to store its configuration<\/a>. Importantly, this registry key grants full control to a low-privileged user.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEirA67MXD10oXFRkeWrb8xG7UagHAsrnN2rcX0-1qZhyphenhyphenXZuwwnkrcyrKBWRXIQuVqg8VCnTpSolPDMIvZkwpIPB1QYxoqDCGubMtwjOEKtELxGGooC2KxiaiOGAisuV5VYtU_hfRRnxz0Yy6JvlNErusUlV8yFS8XdhVmcBRXeG2nUXBnrEqZociwXCmy4\/s1600\/Screenshot%25202026-03-18%2520121359%2520%25281%2529.webp?ssl=1\" alt=\"Registry Key Stores Accessibility Config (On-Screen Keyboard)(source : mdsec)\"><figcaption class=\"wp-element-caption\">Registry Key Stores Accessibility Config (On-Screen Keyboard) (source: mdsec)<\/figcaption><\/figure>\n<p>During the login process, these configurations are copied into the local machine registry hive by a system process.<\/p>\n<p>Because the newly created local machine registry key remains writable by the logged-in user, it introduces a dangerous pathway for manipulation.<\/p>\n<p>The vulnerability becomes apparent when user-controlled settings interact with the <a href=\"https:\/\/cybersecuritynews.com\/poc-windows-alpc-privilege-escalation\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows Secure Desktop environment<\/a>.<\/p>\n<p>The Secure Desktop is an isolated environment used for tasks like locking the workstation or prompting for administrator credentials.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi4r1EJWYIrlvpY00yzsnj7z7DTFUl850cek2GxbawMheatBxx0yllNUIzxAvj5vtgfPRz5L20MQv7zFZ_uvCRFgbIhHWIgd452knGjbF1szLoQyTceNzSAgdxks4HbAeduLPkdIbSuLjaNZir_-XF4PGsQuxV3X3BzeHdEWfpoYUthZ_gHOjrfHLEiaTA\/s1600\/Screenshot%25202026-03-18%2520121737%2520%25281%2529.webp?ssl=1\" alt=\"Winlogon Copies Config to HKLM with User Write Access(source : mdsec)\"><figcaption class=\"wp-element-caption\">Winlogon Copies Config to HKLM with User Write Access (source: mdsec)<\/figcaption><\/figure>\n<p>By design, only trusted <a href=\"https:\/\/cybersecuritynews.com\/windows-hyper-v-nt-kernel-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">processes running with SYSTEM privileges<\/a> are allowed to execute on the Secure Desktop.<\/p>\n<p>When a user triggers this secure state, the system launches processes that handle accessibility settings, operating as both the standard user and the SYSTEM account.<\/p>\n<p>To exploit this behavior, an attacker can modify their user-level accessibility registry key and insert an opportunistic lock (oplock) on a specific system file.<\/p>\n<p>When the user locks their workstation, the system attempts to copy the modified accessibility configurations into the local machine registry.<\/p>\n<p>The oplock forces the system to pause briefly, giving the attacker a tight time window to act.<\/p>\n<figure class=\"wp-block-embed aligncenter is-type-video is-provider-vimeo wp-block-embed-vimeo\">\n<div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Exploit for CVE-2026-24291\" src=\"https:\/\/player.vimeo.com\/video\/1173319606?dnt=1&amp;app_id=122963\" width=\"696\" height=\"416\" frameborder=\"0\" allow=\"autoplay; fullscreen; picture-in-picture; clipboard-write; encrypted-media; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\"><\/iframe>\n<\/div>\n<\/figure>\n<p>During this pause, the attacker swaps the local machine registry key with a symbolic link pointing to an arbitrary system registry key.<\/p>\n<p>Because the process copying the data is running as SYSTEM, the attacker successfully writes arbitrary values to highly restricted areas of the Windows registry.<\/p>\n<p><a href=\"https:\/\/www.mdsec.co.uk\/2026\/03\/rip-regpwn\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">In MDSec\u2019s proof-of-concept<\/a>, they used this trick to overwrite the execution path of a system service, immediately granting them a SYSTEM-level command prompt.<\/p>\n<p>Microsoft has successfully patched CVE-2026-24291 as part of its regular security updates.<\/p>\n<p>System administrators are strongly advised to apply the latest Windows updates to secure their environments against this local privilege escalation vector.<\/p>\n<p>For defensive researchers and security teams, MDSec has made its RegPwn exploit code publicly available on GitHub for study.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/regpwn-windows-registry-vulnerability\/\">\u2018RegPwn\u2019 Windows Registry Vulnerability Enables Full System Access to Attackers<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/regpwn-windows-registry-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u2018RegPwn\u2019 Windows Registry Vulnerability Enables Full System Access to Attackers A high-severity Windows vulnerability dubbed \u201cRegPwn\u201d (CVE-2026-24291) is an elevation-of-privilege flaw that allows low-privileged users to gain full SYSTEM access. The MDSec red team discovered the vulnerability and successfully used it in internal engagements since January 2025, before it was addressed in a recent Microsoft [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648,395],"tags":[130],"class_list":["post-11425","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","category-windows","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11425"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11425"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11425\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11425"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11425"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11425"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}