Micropatches released for Windows Telephony Service Elevation of Privilege Vulnerability (CVE-2026-20931)

 

January 2026 Windows Updates brought a patch for CVE-2026-20931, a privilege escalation in Windows Telephony Service that allowed a remote low-privileged attacker to promote themselves to a service administrator, and then have the service execute their malicious code remotely. 

The vulnerability was found and reported to Microsoft by Sergey Bliznyuk with Positive Technologies, who also published a detailed technical article that allowed us to reproduce the issue and create patches for legacy Windows users.

 

The Vulnerability 

In short, the vulnerability is caused by a missing security check to ensure the path the user wants to write to is actually a mailslot path, and not a path on file system. As a result, a local unprivileged user (or a remote one, if so configured) can overwrite any file writable by Network Service with arbitrary content. An obvious candidate for this is Telephone Service's own tsec.ini file, which - among other things - defines service administrators.

By overwriting this file, the attacker can turn themselves into Telephony Service administrator, and then have the service execute their malicious DLL using the newly-acquired power. 

 

Microsoft's Patch

Microsoft patched this issue by adding a check to ensure the user-requested path actually represents a mailslot.

 

Our Patch

Our patch is logically identical to Microsoft's.

Let's see our patch in action. First, with 0patch disabled, a low-privileged user runs the attack tool that instructs the Telephony Service to overwrite tsec.ini with some content (we used "test" for demonstration purposes). The attack succeeds.

With 0patch enabled, however, the file can no longer be overwritten.

 

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
2. Windows Server 2012 - fully updated with no ESU or ESU 1
3. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 

Even though the Telephony Service exists on Windows 11, Windows 10 and Windows 7, we were unable to exploit this vulnerability there.

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Sergey Bliznyuk with Positive Technologies for sharing their detailed article, which allowed us to create patches for Windows versions that are no longer receiving official updates from Microsoft.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.

 

Micropatches released for Windows Error Reporting Service Elevation of Privilege Vulnerability (CVE-2026-20817)

 

January 2026 Windows Updates brought a patch for CVE-2026-20817, a local privilege elevation vulnerability in Windows Error Reporting Service, allowing a local non-admin attacker to execute arbitrary code as Local System user.

The vulnerability was found and reported to Microsoft by Denis Faiustov and  Ruslan Sayfiev with GMO Cybersecurity by Ierae. Subsequently, security researcher Clément Labro reverse-engineered Microsoft's patch and posted their analysis, accompanied with a proof-of-concept. These allowed us to reproduce the issue and create patches for users of Windows systems that are no longer receiving official Microsoft patches.

 

The Vulnerability 

The vulnerability is in what seems to be an unneeded SvcElevatedLaunch function that allows any local user to have Windows Error Reporting Service launch WerFault.exe with arbitrary arguments as Local System.

 

Microsoft's Patch

Microsoft patched this issue by removing the SvcElevatedLaunch function.

 

Our Patch

Our patch is identical to Microsoft's.

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v22H2 - fully updated
2. Windows 11 v21H2 - fully updated
3. Windows 10 v22H2 - fully updated
4. Windows 10 v21H1 - fully updated
5. Windows 10 v20H2 - fully updated
6. Windows 10 v2004 - fully updated
7. Windows 10 v1909 - fully updated
8. Windows 10 v1809 - fully updated
9. Windows 10 v1803 - fully updated
10. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
11. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
12. Windows Server 2012 - fully updated with no ESU or ESU 1
13. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Denis Faiustov and  Ruslan Sayfiev with GMO Cybersecurity by Ierae for finding this vulnerability, and Clément Labro for publishing their analysis and proof-of-concept, which allowed us to create a patch for legacy Windows users.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.

 

Micropatches released for Windows Shell Security Feature Bypass Vulnerability (CVE-2026-21510)

February 2026 Windows Updates brought a patch for CVE-2026-21510, a security feature bypass in Windows Explorer that allowed a Windows shortcut to launch a remotely hosted DLL without any warning to the user even if mark of the web was present.

The vulnerability was found to be exploited in the wild, and a sample was uploaded to malware repositories, which allowed us to reproduce the issue and create patches for legacy Windows users.

 

The Vulnerability 

Normally, when a user double-clicks a Windows shortcut (LNK) file with the mark-of-the-web or located on an untrusted share, Windows Explorer pops up a security warning about the shortcut's untrusted source.

The vulnerability at hand allowed a malicious LNK file, either one copied to the user's computer (thus having the mark-of-the-web) or one located on an untrusted remote share, to bypass this security warning and immediately load and execute a remotely-hosted attacker's DLL.

The flaw was specifically in the way the "All Control Panel Items" GUID was processed. This GUID is normally used for launching Control Panel items, which - in the background - employs shortcut files.

 

Microsoft's Patch

Microsoft patched this issue by adding a whole new data structure to the windows.storage.dll code, which specifically handles "Control Panel" shortcut files and defines a custom callback that checks both the shortcut file and its target for mark-of-the-web. Before the patch, only the target (C:\Windows\System32\rundll32.dll) was checked for mark-of-the-web.

 

Our Patch

We took a slightly simpler approach. Our patch injects into the CShellLink::_InvokeDirect function and checks a local variable that contains the path to the shortcut file. First, we check if it ends with ".lnk", and if it does, we perform a MapUrlToZone call on it. This both detects if the file path is an untrusted network location, and if the file contains the mark-of-the-web. If any of these is true, our patch pops up a warning telling the user that the file came from an untrusted location and that it may be malicious.

Our use of MapUrlToZone allows the user to add a shared folder address to trusted sites under Internet Options, and disable this warning on any shares they trust. 

If you see the 0patch security warning upon opening a document or launching an application from a network drive after having this patch applied and you'd like to remove it, please add the network location to Trusted sites:

1. Open Control Panel and select Internet Options.
2. Navigate to the Security tab, select Trusted sites, and click Sites.
3. Uncheck "Require server verification (https:)".
4. Enter server name (e.g., \\servername) in the field and click Add.

 

Let's see our patch in action. First, with 0patch disabled, the user double-clicks on a shortcut file hosted on a remote untrusted share (shares identified by IP address instead of a "dotless" host name are untrusted by default). This results in an immediate execution of a remote DLL under attacker's control, which for the purpose of our demonstration launches the Calculator.

Then, the same is done with 0patch enabled. In this case, double-clicking on the remote shortcut results in a security warning, where the user can decide whether to let the shortcut execute or not.

 

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v22H2 - fully updated
2. Windows 11 v21H2 - fully updated
3. Windows 10 v22H2 - fully updated
4. Windows 10 v21H1 - fully updated
5. Windows 10 v20H2 - fully updated
6. Windows 10 v2004 - fully updated
7. Windows 10 v1909 - fully updated
8. Windows 10 v1809 - fully updated
9. Windows 10 v1803 - fully updated
10. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
11. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
12. Windows Server 2012 - fully updated with no ESU or ESU 1
13. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.