Researchers Reveal ‘RegPwn,’ a Windows Registry Vulnerability That Granted SYSTEM Privileges

A high-severity Windows vulnerability dubbed “RegPwn” (CVE-2026-24291) is an elevation-of-privilege flaw that allows low-privileged users to gain full SYSTEM access.

The MDSec red team discovered the vulnerability and successfully used it in internal engagements since January 2025, before it was addressed in a recent Microsoft Patch Tuesday update.

The attack targets the way Windows manages its built-in accessibility features, such as the On-Screen Keyboard and Narrator.

Windows Accessibility features are designed to help users navigate the operating system, operating primarily in the user’s context but with high-integrity access.

When a user launches a tool like the On-Screen Keyboard, Windows creates a specific registry key to store its configuration. Importantly, this registry key grants full control to a low-privileged user.

During the login process, these configurations are copied into the local machine registry hive by a system process.

Because the newly created local machine registry key remains writable by the logged-in user, it introduces a dangerous pathway for manipulation.

The vulnerability becomes apparent when user-controlled settings interact with the Windows Secure Desktop environment.

The Secure Desktop is an isolated environment used for tasks like locking the workstation or prompting for administrator credentials.

By design, only trusted processes running with SYSTEM privileges are allowed to execute on the Secure Desktop.

When a user triggers this secure state, the system launches processes that handle accessibility settings, operating as both the standard user and the SYSTEM account.

To exploit this behavior, an attacker can modify their user-level accessibility registry key and insert an opportunistic lock (oplock) on a specific system file.

When the user locks their workstation, the system attempts to copy the modified accessibility configurations into the local machine registry.

The oplock forces the system to pause briefly, giving the attacker a tight time window to act.

During this pause, the attacker swaps the local machine registry key with a symbolic link pointing to an arbitrary system registry key.

Because the process copying the data is running as SYSTEM, the attacker successfully writes arbitrary values to highly restricted areas of the Windows registry.

In MDSec’s proof-of-concept, they used this trick to overwrite the execution path of a system service, immediately granting them a SYSTEM-level command prompt.

Microsoft has successfully patched CVE-2026-24291 as part of its regular security updates.

System administrators are strongly advised to apply the latest Windows updates to secure their environments against this local privilege escalation vector.

For defensive researchers and security teams, MDSec has made its RegPwn exploit code publicly available on GitHub for study.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.