‘RegPwn’ Windows Registry Vulnerability Enables Full System Access to Attackers

Home Cyber Security News ‘RegPwn’ Windows Registry Vulnerability Enables Full System Access to Attackers RegPwn Windows Registry Vulnerability A high-severity Windows vulnerability dubbed “RegPwn” (CVE-2026-24291) is an elevation-of-privilege flaw that allows low-privileged users to gain full SYSTEM access. The MDSec red team discovered the vulnerability and successfully used it in internal engagements since January 2025, before it was addressed in a recent Microsoft Patch Tuesday update. The attack targets the way Windows manages its built-in accessibility features, such as the On-Screen Keyboard and Narrator. Windows Accessibility features are designed to help users navigate the operating system, operating primarily in the user’s context but with high-integrity access. When a user launches a tool like the On-Screen Keyboard, Windows creates a specific registry key to store its configuration. Importantly, this registry key grants full control to a low-privileged user. Registry Key Stores Accessibility Config (On-Screen Keyboard) (source: mdsec) During the login process, these configurations are copied into the local machine registry hive by a system process. Because the newly created local machine registry key remains writable by the logged-in user, it introduces a dangerous pathway for manipulation. The vulnerability becomes apparent when user-controlled settings interact with the Windows Secure Desktop environment. The Secure Desktop is an isolated environment used for tasks like locking the workstation or prompting for administrator credentials. Winlogon Copies Config to HKLM with User Write Access (source: mdsec) By design, only trusted processes running with SYSTEM privileges are allowed to execute on the Secure Desktop. When a user triggers this secure state, the system launches processes that handle accessibility settings, operating as both the standard user and the SYSTEM account. To exploit this behavior, an attacker can modify their user-level accessibility registry key and insert an opportunistic lock (oplock) on a specific system file. When the user locks their workstation, the system attempts to copy the modified accessibility configurations into the local machine registry. The oplock forces the system to pause briefly, giving the attacker a tight time window to act. During this pause, the attacker swaps the local machine registry key with a symbolic link pointing to an arbitrary system registry key. Because the process copying the data is running as SYSTEM, the attacker successfully writes arbitrary values to highly restricted areas of the Windows registry. In MDSec’s proof-of-concept, they used this trick to overwrite the execution path of a system service, immediately granting them a SYSTEM-level command prompt. Microsoft has successfully patched CVE-2026-24291 as part of its regular security updates. System administrators are strongly advised to apply the latest Windows updates to secure their environments against this local privilege escalation vector. For defensive researchers and security teams, MDSec has made its RegPwn exploit code publicly available on GitHub for study. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Critical FortiClient SQL Injection Vulnerability Enables Arbitrary Database Access Cyber Security Ubuntu Desktop Systems Vulnerability Enables Attackers to Gain Full Root Access Cyber Attack News Microsoft Teams Support Call Leads to Quick Assist Compromise in New Vishing Attack Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026